The Ubercart module provides a shopping cart and e-commerce features for Drupal.
The order module doesn't sufficiently sanitize user input when displayed on an invoice leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "edit orders".
Install the latest version:
- If you use the Ubercart module for Drupal 7.x, upgrade to Ubercart 7.x-3.13
Also see the Ubercart project page.
- Greg Knaddison of the Drupal Security Team