• Advisory ID: DRUPAL-SA-2008-027
  • Project: Ubercart (third-party module)
  • Version: 5.x
  • Date: 2008-April-23
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross site scripting

Description

When certain product features were being edited, node titles were being printed to the screen as entered by the user. If a store owner had granted product creation rights to a non-secure user, this would provide an opportunity for a malicious user to perform a cross site scripting attack when another administrator views the edit page.

All users are encouraged to update to the latest version. Be sure to verify the compatibility of your contrib modules as you perform the update. (Current release candidate and recent beta users should not run into any compatibility issues.)

Versions affected

  • Ubercart for Drupal 5.x prior to 5.x-1.0-rc3

Drupal core is not affected. If you do not use the contributed Ubercart module, there is nothing you need to do.

Solution

Install the latest version:

See also the Ubercart project page.

Reported by

The security team passed the information on to the Ubercart team via private e-mail, and the potential vulnerabilities were addressed immediately.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.