Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Heine on
- Advisory ID: DRUPAL-SA-2008-023
- Project: Ubercart (third-party module)
- Version: 5.x
- Date: 2008-April-02
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting
Description
During checkout in Ubercart enabled stores, customers have text fields in which to enter their address and order information. Some stores will have modules enabled that restrict what sort of values are accepted in these fields, but this is not the case for everyone. This provides an opportunity for a malicious user to perform a cross site scripting attack when the orders are displayed on administrative pages (particularly the order view page).
All users are encouraged to update to the latest version. Be sure to verify the compatibility of your contrib modules as you perform the update. (Recent beta users should not run into any compatibility issues.)
Versions affected
- Ubercart for Drupal 5.x prior to 5.x-1.0-rc1
Drupal core is not affected. If you do not use the contributed Ubercart module, there is nothing you need to do.
Solution
Install the latest version:
See also the Ubercart project page.
Reported by
chadcrew reported the issue via private message at Ubercart.org, and the Ubercart team was able to adjust the code in various modules in the project accordingly.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
