Lucene search

Drupal Security TeamDRUPAL-SA-CONTRIB-2015-034

HistoryFeb 04, 2015 - 12:00 a.m.

SA-CONTRIB-2015-034 - Commerce WeDeal - Open Redirect

2015-02-0400:00:00

Drupal Security Team

www.drupal.org

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

EPSS

0.967

Percentile

99.7%

JSON

Commerce WeDeal module enables you to do Commerce payments through the payment provider WeDeal.

The module doesn’t sufficiently check a query parameter used for page redirection, thereby leading to an Open Redirect vulnerability.

CVE identifier(s) issued

CVE-2015-3393

Versions affected

Commerce WeDeal 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed Commerce WeDeal module,
there is nothing you need to do.

Solution

Install the latest version:

If you use the Commerce WeDeal module for Drupal 7.x, upgrade to Commerce WeDeal 7.x-1.3

Also see the Commerce WeDeal project page.

Reported by

Pere Orga of the Drupal Security Team

Fixed by

Jeroen Bobbeldijk the module maintainer

Coordinated by

Pere Orga of the Drupal Security Team

References

twitter.com/drupalsecurity

www.drupal.org/contact

www.drupal.org/project/commerce_wedeal

www.drupal.org/security-team

www.drupal.org/security-team/risk-levels

www.drupal.org/security/secure-configuration

www.drupal.org/user/1853532

www.drupal.org/user/2301194

www.drupal.org/writing-secure-code

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

EPSS

0.967

Percentile

99.7%

JSON

Related for DRUPAL-SA-CONTRIB-2015-034