Lucene search

Drupal Security TeamDRUPAL-SA-CONTRIB-2012-076

HistoryMay 16, 2012 - 12:00 a.m.

SA-CONTRIB-2012-076 - Ubercart Product Keys Access Bypass

2012-05-1600:00:00

Drupal Security Team

www.drupal.org

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.017 Low

EPSS

Percentile

87.7%

JSON

CVE: CVE-2012-2702.

This module enables you to sell product keys from an Ubercart store.

Under certain circumstances, a user can view all unassigned product keys which could grant them access to the software circumventing the process of selling the key.

Versions affected

Ubercart Product Keys 6.x-1.x versions prior to 6.x-1.1.

Drupal core is not affected. If you do not use the contributed Ubercart Product Keys module, there is nothing you need to do.

Solution

Install the latest version:

If you use the uc_product_keys module for Drupal 6.x upgrade to uc_products_key 6.x-1.1.

Also see the Ubercart Product Keys project page.

Reported by

Daniel Glucksman

Fixed by

Daniel Glucksman
Tony Freixas the module maintainer

Coordinated by

Greg Knaddison of the Drupal Security Team
Michael Hess of the Drupal Security Team

References

drupal.org/contact

drupal.org/node/1580752

drupal.org/project/uc_product_keys

drupal.org/security-team

drupal.org/security-team/risk-levels

drupal.org/security/secure-configuration

drupal.org/user/102818

drupal.org/user/131274

drupal.org/user/36762

drupal.org/writing-secure-code

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.017 Low

EPSS

Percentile

87.7%

JSON

Related for DRUPAL-SA-CONTRIB-2012-076