6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.967 High
EPSS
Percentile
99.7%
Invoice module allows you to create invoices in Drupal.
The module doesn’t sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.
Additionally, some URLs were not protected against CSRF. A malicious user can cause another user to create, delete and alter invoices by getting their browser to make a request to a specially-crafted URL.
The XSS vulnerability is mitigated by the fact that an attacker must have a role with the permission “Administer own invoices” and be able to create/edit nodes of the “Invoice” content type.
Drupal core is not affected. If you do not use the contributed Invoice module, there is nothing you need to do.
Install the latest version:
Also see the Invoice project page.
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/project/invoice
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/user/1374764
www.drupal.org/user/2301194
www.drupal.org/user/88338
www.drupal.org/writing-secure-code