Lucene search

Drupal Security TeamDRUPAL-SA-CONTRIB-2013-019

HistoryFeb 20, 2013 - 12:00 a.m.

SA-CONTRIB-2013-019 - Ubercart Views - Cross site scripting (XSS)

2013-02-2000:00:00

Drupal Security Team

www.drupal.org

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

50.0%

JSON

Ubercart Views provides Views integration for the Ubercart shopping cart module.

The “full name” field in Views is not properly sanitized on output.

The vulnerability is mitigated by the fact that an attacker must get far enough in the checkout process to store their name with an order.

CVE identifier(s) issued

CVE-2013-0321

Versions affected

All versions of Ubercart Views for Drupal 6.x prior to 6.x-3.3.

Drupal core is not affected. If you do not use the contributed Ubercart Views module, there is nothing you need to do.

Solution

Install the latest version:

If you use the Ubercart Views module for Drupal 6.x, upgrade to Ubercart Views 6.x-3.3

Also see the Ubercart Views project page.

Reported by

20th

Fixed by

20th
Dave Long the module maintainer

Coordinated by

Greg Knaddison of the Drupal Security Team

References

drupal.org/contact

drupal.org/node/1922128

drupal.org/project/uc_views

drupal.org/security-team

drupal.org/security-team/risk-levels

drupal.org/security/secure-configuration

drupal.org/user/246492

drupal.org/user/36762

drupal.org/user/486690

drupal.org/writing-secure-code

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

50.0%

JSON

Related for DRUPAL-SA-CONTRIB-2013-019