Notification: New Vulnerabilities in Drupal – September 13, 2014

Posted: September 13, 2014 in Vulnerability News
Tags: , , , ,

Drupal logo

Drupal vulnerabilities

Cyber Security Notification: New Vulnerabilities of September 2014

Security vulnerabilities related to Drupal – content management system: Descriptions of vulnerabilities related to products of this vendor of September 13, 2014.

1. Vulnerability: Cross-site scripting in Drupal Custom BreadCrumbs

Danger level: Low
Availability Corrections: Yes
Number of vulnerabilities: 1
CVSSv2 Rating: (AV: N / AC: L / Au: N / C: N / I: P / A: N / E: U / RL: O / RC: C) = Base: 5 / Temporal: 3.7

Vector operation: Remote
Impact: Cross-site scripting

Affected products: Drupal Custom BreadCrumbs Module 6.x
Affected versions: Drupal Custom BreadCrumbs version to 6.x-1.6

Description:

The vulnerability allow a remote user to  implement XSS-attack.

The vulnerability is caused due to insufficient input data processing in the breadcrumb. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

Note: Successful exploitation requires that the settings breadcrumb was a special identifier “.”

Solution: Install the latest version 6.x-1.6 from the manufacturer.

Manufacturer URL: https://www.drupal.org/project/custom_breadcrumbs
Links: https://www.drupal.org/node/2336263

2. Availability: Disclosure of sensitive data in Drupal Ubercart

Danger level: Low
Availability Corrections: Yes
Number of vulnerabilities: 1
CVSSv2 Rating: (AV: N / AC: L / Au: N / C: P / I: N / A: N / E: U / RL: O / RC: C) = Base: 5 / Temporal: 3.7

Vector operation: Remote
Impact: Disclosure of sensitive data

Affected products: Drupal Ubercart Module 7.x
Affected versions: Drupal Ubercart to version 7.x-3.7

Description:

The vulnerability allow a remote user to gain access to certain confidential information.

The vulnerability is due to the fact that the application does not properly restrict access to the history pages. A remote user can view the history of other users.

Note: Successful exploitation must have access rights “view own orders”.

Solution: Install the latest version 7.x-3.7 from the manufacturer.

Drupal Ubercart logoUbercart is the most popular Drupal E-Commerce platform for your website.

Manufacturer URL: http://drupal.org/project/ubercart
Links: https://www.drupal.org/node/2336259


Comments
  1. As announced on September 10, 2014 by Drupal.

    also known as:

    – SA-CONTRIB-2014-087
    – SA-CONTRIB-2014-086

    See https://www.drupal.org/security for Security Announcements about Drupal itself

    See https://www.drupal.org/security/contrib for Security Announcements about Contributed Modules for Drupal

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s