SA-CONTRIB-2015-064 – Ubercart Discount Coupons – Cross Site Scripting (XSS)

Description

Ubercart Discount Coupons module provides discount coupons for Ubercart stores.

The module doesn’t sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability.

The vulnerability is mitigated by the fact that an attacker must have a user with permission to create/edit taxonomy terms. Note that for vocabularies with free tagging enabled, this includes any user with permission to add/edit content of a type to which the vocabulary applies.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • Ubercart Discount Coupons 6.x-1.x versions prior to 6.x-1.8

Drupal core is not affected. If you do not use the contributed Ubercart Discount Coupons module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Ubercart Discount Coupons project page.

Reported by

Fixed by

  • wodenx the module maintainer

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

Leave a Reply