[IT-SecNots] [Security-news] Ubercart - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2019-032

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2019-032

Project: Ubercart [1]
Date: 2019-March-06
Security risk: *Moderately critical* 12∕25
AC:None/A:Admin/CI:None/II:Some/E:Proof/TD:Default [2]
Vulnerability: Cross Site Request Forgery

Description: 
The Ubercart module provides a shopping cart and e-commerce features for
Drupal.

The taxes module doesn't sufficiently protect the tax rate cloning feature. A
malicious user could trick a store administrator into duplicating an existing
tax rate by getting them to visit a specially-crafted URL.

Solution: 
Install the latest version:

  * If you use the Ubercart module for Drupal 7.x, upgrade to Ubercart
    7.x-3.12 [3]

Reported By: 
  * Ayesh Karunaratne  [4]

Fixed By: 
  * Dave Long  [5]
  * Ayesh Karunaratne  [6]
  * Tim Rohaly  [7]

Coordinated By: 
  * Michael Hess [8] of the Drupal Security Team


[1] https://www.drupal.org/project/ubercart
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/ubercart/releases/7.x-3.12
[4] https://www.drupal.org/user/796148
[5] https://www.drupal.org/user/246492
[6] https://www.drupal.org/user/796148
[7] https://www.drupal.org/user/202830
[8] https://www.drupal.org/u/mlhess

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news