- Advisory ID: DRUPAL-SA-2008-023
- Project: Ubercart (third-party module)
- Version: 5.x
- Date: 2008-April-02
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting
During checkout in Ubercart enabled stores, customers have text fields in which to enter their address and order information. Some stores will have modules enabled that restrict what sort of values are accepted in these fields, but this is not the case for everyone. This provides an opportunity for a malicious user to perform a cross site scripting attack when the orders are displayed on administrative pages (particularly the order view page).
All users are encouraged to update to the latest version. Be sure to verify the compatibility of your contrib modules as you perform the update. (Recent beta users should not run into any compatibility issues.)
- Ubercart for Drupal 5.x prior to 5.x-1.0-rc1
Drupal core is not affected. If you do not use the contributed Ubercart module, there is nothing you need to do.
Install the latest version:
See also the Ubercart project page.
chadcrew reported the issue via private message at Ubercart.org, and the Ubercart team was able to adjust the code in various modules in the project accordingly.
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.