
Drupal vulnerabilities
Cyber Security Notification: New Vulnerabilities of September 2014
Security vulnerabilities related to Drupal – content management system: Descriptions of vulnerabilities related to products of this vendor of September 13, 2014.
1. Vulnerability: Cross-site scripting in Drupal Custom BreadCrumbs
Danger level: Low
Availability Corrections: Yes
Number of vulnerabilities: 1
CVSSv2 Rating: (AV: N / AC: L / Au: N / C: N / I: P / A: N / E: U / RL: O / RC: C) = Base: 5 / Temporal: 3.7
Vector operation: Remote
Impact: Cross-site scripting
Affected products: Drupal Custom BreadCrumbs Module 6.x
Affected versions: Drupal Custom BreadCrumbs version to 6.x-1.6
Description:
The vulnerability allow a remote user to implement XSS-attack.
The vulnerability is caused due to insufficient input data processing in the breadcrumb. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
Note: Successful exploitation requires that the settings breadcrumb was a special identifier “.”
Solution: Install the latest version 6.x-1.6 from the manufacturer.
Manufacturer URL: https://www.drupal.org/project/custom_breadcrumbs
Links: https://www.drupal.org/node/2336263
2. Availability: Disclosure of sensitive data in Drupal Ubercart
Danger level: Low
Availability Corrections: Yes
Number of vulnerabilities: 1
CVSSv2 Rating: (AV: N / AC: L / Au: N / C: P / I: N / A: N / E: U / RL: O / RC: C) = Base: 5 / Temporal: 3.7
Vector operation: Remote
Impact: Disclosure of sensitive data
Affected products: Drupal Ubercart Module 7.x
Affected versions: Drupal Ubercart to version 7.x-3.7
Description:
The vulnerability allow a remote user to gain access to certain confidential information.
The vulnerability is due to the fact that the application does not properly restrict access to the history pages. A remote user can view the history of other users.
Note: Successful exploitation must have access rights “view own orders”.
Solution: Install the latest version 7.x-3.7 from the manufacturer.
Ubercart is the most popular Drupal E-Commerce platform for your website.
Manufacturer URL: http://drupal.org/project/ubercart
Links: https://www.drupal.org/node/2336259
As announced on September 10, 2014 by Drupal.
also known as:
– SA-CONTRIB-2014-087
– SA-CONTRIB-2014-086
See https://www.drupal.org/security for Security Announcements about Drupal itself
See https://www.drupal.org/security/contrib for Security Announcements about Contributed Modules for Drupal