Drupal Security TeamDRUPAL-SA-CONTRIB-2015-043SA-CONTRIB-2015-043 - Commerce Balanced Payments - Multiple vulnerabilities
5.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:P/A:P
0.002 Low
EPSS
Percentile
53.6%
Commerce Balanced Payments module integrates Drupal Commerce with the Balanced Payments third-party service.
The module doesn’t sufficiently sanitize user supplied text in the Bank Account Listing Page, thereby exposing a Cross Site Scripting vulnerability.
Also, some URLs were not protected against CSRF. A malicious user can cause another user to delete their configured bank accounts by getting their browser to make a request to a specially-crafted URL.
CVE identifier(s) issued
- Cross Site Scripting: CVE-2015-3384 * Cross Site Request Forgery:CVE-2015-3388
Versions affected
- All versions of Commerce Balanced Payments.
Drupal core is not affected. If you do not use the contributed Commerce Balanced Payments module, there is nothing you need to do.
Solution
If you use the Commerce Balanced Payments module you should uninstall it.
Also see the Commerce Balanced Payments project page.
Reported by
- Pere Orga of the Drupal Security Team
Fixed by
Not applicable.
Coordinated by
- Pere Orga of the Drupal Security Team
Related
5.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:P/A:P
0.002 Low
EPSS
Percentile
53.6%