Ubercart Webform Checkout Pane - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-087

Ubercart Webform Checkout Pane module allows you to define Webform nodes as checkout/order panes in Ubercart.

The module doesn’t sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a user with permission to create/edit Ubercart products or webforms.

CVE identifier(s) issued

• CVE-2015-4384

Versions affected

• Ubercart Webform Checkout Pane 7.x-3.x versions prior to 7.x-3.11
• Ubercart Webform Checkout Pane 6.x-3.x versions prior to 6.x-3.10

Drupal core is not affected. If you do not use the contributed Ubercart Webform Checkout Pane module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Ubercart Webform Checkout Pane module for Drupal 6, upgrade to Ubercart Webform Checkout Pane 6.x-3.10
• If you use the Ubercart Webform Checkout Pane module for Drupal 7, upgrade to Ubercart Webform Checkout Pane 7.x-3.11

Reported by

• Joel Stein
• Dylan Tack of the Drupal Security Team
• Pere Orga of the Drupal Security Team

Fixed by

• hbemtec
• arski, the module maintainer

Coordinated by

• Pere Orga of the Drupal Security Team