Invoice - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2015-085

Invoice module allows you to create invoices in Drupal.

The module doesn’t sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.

Additionally, some URLs were not protected against CSRF. A malicious user can cause another user to create, delete and alter invoices by getting their browser to make a request to a specially-crafted URL.

The XSS vulnerability is mitigated by the fact that an attacker must have a role with the permission “Administer own invoices” and be able to create/edit nodes of the “Invoice” content type.

CVE identifier(s) issued

• Cross Site Scripting: CVE-2015-4381 * Cross Site Request Forgery:CVE-2015-4382

Versions affected

• Invoice 7.x-1.x versions prior to 7.x-1.3
• Invoice 6.x-1.x versions prior to 6.x-1.2

Drupal core is not affected. If you do not use the contributed Invoice module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Invoice module for Drupal 6.x, upgrade to Invoice 6.x-1.2
• If you use the Invoice module for Drupal 7.x, upgrade to Invoice 7.x-1.3

Also see the Invoice project page.

Reported by

• Matt Vance, provisional member Drupal Security Team
• Pere Orga of the Drupal Security Team

Fixed by

• Mehdi Hannaizi

Coordinated by

• Pere Orga of the Drupal Security Team
• Matt Vance, provisional member Drupal Security Team