6 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
77.1%
The Ubercart module for Drupal provides a shopping cart and e-commerce features for Drupal. Parts of Ubercart were vulnerable to a Failure to encrypt data, Cross Site Scripting, and an Arbitrary PHP Execution vulnerability.
CVE: CVE-2012-2299
Passwords supplied by new customers during checkout were stored as plain text until payment was completed for an order, for a maximum of 15 minutes. This vulnerability is not exploitable remotely, but information may have inadvertently been leaked via database access (e.g. backups, developer laptops that are compromised).
CVE: CVE-2012-2300
The product classes feature did not properly sanitize output and was vulnerable to a cross site scripting attack. This vulnerability is mitigated by the fact that an attacker must have the “administer product classes” permission.
CVE: CVE-2012-2301
In Ubercart 6.x-2.x, arbitrary PHP code can be executed by users with the “administer conditional actions” permission. This vulnerability is mitigated by the fact that this permission should only granted to trusted users.
Drupal core is not affected. If you do not use the contributed Ubercart module, there is nothing you need to do.
Install the latest version:
Additionally, in Drupal 6.x, ensure that only trusted users have roles that have been granted the “administer conditional actions” permission.
Also see the Ubercart project page.
drupal.org/contact
drupal.org/node/1547506
drupal.org/node/1547508
drupal.org/project/ubercart
drupal.org/security-team
drupal.org/security-team/risk-levels
drupal.org/security/secure-configuration
drupal.org/user/246492
drupal.org/user/36762
drupal.org/user/395439
drupal.org/user/475828
drupal.org/user/86683
drupal.org/writing-secure-code