Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2019-October-02
Vulnerability:
Cross site scripting
Description:
The Ubercart module provides a shopping cart and e-commerce features for Drupal.
The order module doesn't sufficiently sanitize user input when displayed on an invoice leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "edit orders".
Solution:
Install the latest version:
- If you use the Ubercart module for Drupal 7.x, upgrade to Ubercart 7.x-3.13
Also see the Ubercart project page.
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison of the Drupal Security Team
