Business

News

 
More...

Alerts

 
More...

Events

 
More...
 
     
 

Multiple Vulnerabilities in Drupal Third Party Modules

 

Systems Affected



Commerce Authorize.Net SIM/DPM Payment Methods 7.x-1.x versions prior to 7.x-1.1
OG Menu 7.x-2.x versions prior to 7.x-2.2
Addressfield Tokens 7.x-1.x versions prior to 7.x-1.5
Passwordless 7.x-1.x versions up to 7.x-1.8

Threat Level


Medium


Overview


Multiple vulnerabilities have been reported in various modules of Drupal which could allow an attacker to bypass certain security restrictions or conduct cross site scripting (XSS) attacks.


Description


1. Access Bypass Vulnerability in Commerce Authorize.Net SIM/DPM Payment Methods
This vulnerability exists due to insufficient protection of Drupal Commerce order number passed to the Authorize.Net payment gateway. A remote attacker could exploit this vulnerability via a specially modified payment POST transaction to Authorize.Net. Successful exploitation could allow the attacker to bypass certain security restrictions.

2. Access Bypass Vulnerability in OG Menu module
This vulnerability exists due to improper access control available on OG Menu that allows using menus within Organic Groups. An attacker who has access to a role with the permission "access administration pages" could exploit this vulnerability to make changes in the OG Menu configuration.

3. Addressfield Tokens Cross Site Scripting Vulnerability
This vulnerability exists due to improper filtering of malicious user input. An attacker who has access to a role with the permission "create content" or "edit content" could exploit this vulnerability via sending crafted malicious input to conduct cross site scripting attacks.

4. Passwordless Cross Site Scripting Vulnerability
This vulnerability exists due to improper sanitization of user-input text entered in the modules configuration form. An attacker who has access to a role with the permission "configure passwordless settings" could exploit this vulnerability to conduct cross site scripting attacks.


Impact



Solution/ Workarounds


Apply appropriate fixes as issued by vendor in the following links
https://www.drupal.org/node/2365685
https://www.drupal.org/node/2365809
https://www.drupal.org/node/2365673
https://www.drupal.org/node/2365645


References


http://www.cert-in.org.in/


Disclaimer


The information provided herein is on "as is" basis, without warranty of any kind.


 
     

© Copyright Sri Lanka CERT|CC. All Rights Reserved.