Lucene search

Drupal Security TeamDRUPAL-SA-CONTRIB-2013-002

HistoryJan 09, 2013 - 12:00 a.m.

SA-CONTRIB-2013-002 - Payment - Access Bypass

2013-01-0900:00:00

Drupal Security Team

www.drupal.org

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.002 Low

EPSS

Percentile

64.5%

JSON

Payment enables other modules to make payments using a variety of payment processing services.

The module incorrectly grants access when checking if a user can view payments, allowing a user to access the payments of other users.

CVE identifier(s) issued

CVE-2013-0182

Versions affected

Payment 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed Payment module, there is nothing you need to do.

Solution

Update to Payment 7.x-1.3 or later.

Also see the Payment project page.

Reported by

Dario Emmanuel Godoy Rojas

Fixed by

Bart Feenstra (the module maintainer)

Coordinated by

Greg Knaddison of the Drupal Security Team

References

drupal.org/contact

drupal.org/node/1883830

drupal.org/project/payment

drupal.org/security-team

drupal.org/security-team/risk-levels

drupal.org/security/secure-configuration

drupal.org/user/186754

drupal.org/user/36762

drupal.org/user/62965

drupal.org/writing-secure-code

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.002 Low

EPSS

Percentile

64.5%

JSON

Related for DRUPAL-SA-CONTRIB-2013-002