5.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:P/A:P
0.002 Low
EPSS
Percentile
53.6%
Commerce Balanced Payments module integrates Drupal Commerce with the Balanced Payments third-party service.
The module doesn’t sufficiently sanitize user supplied text in the Bank Account Listing Page, thereby exposing a Cross Site Scripting vulnerability.
Also, some URLs were not protected against CSRF. A malicious user can cause another user to delete their configured bank accounts by getting their browser to make a request to a specially-crafted URL.
Drupal core is not affected. If you do not use the contributed Commerce Balanced Payments module, there is nothing you need to do.
If you use the Commerce Balanced Payments module you should uninstall it.
Also see the Commerce Balanced Payments project page.
Not applicable.