Drupal Security TeamDRUPAL-SA-CONTRIB-2015-117Novalnet Payment Module Drupal Commerce - Critical - SQL Injection - Unsupported - SA-CONTRIB-2015-117
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
50.1%
This module enables you add the Novalnet payment service provider to Drupal Commerce.
The module fails to sanitize a database query by not using the database API properly, thereby leading to a SQL Injection vulnerability. Since the affected path is not protected against CSRF, a malicious user can exploit this vulnerability by triggering a request to a specially-crafted URL.
This vulnerability is mitigated by the fact that the malicious request must come from a specific Novalnet IP address.
CVE identifier(s) issued
- CVE-2015-5504
Versions affected
- All versions of Novalnet Payment Module Drupal Commerce module
Drupal core is not affected. If you do not use the contributed Novalnet Payment Module Drupal Commerce module, there is nothing you need to do.
Solution
If you use the Novalnet Payment Module Drupal Commerce module you should uninstall it.
Also see the Novalnet Payment Module Drupal Commerce project page.
Reported by
- Pere Orga of the Drupal Security Team
Fixed by
Not applicable.
Coordinated by
- Pere Orga of the Drupal Security Team
Related
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
50.1%