Commerce invoices - Highly Critical - SQL Injection and Cross Site scripting - DRUPAL-SA-CONTRIB-2017-070

* Advisory ID: DRUPAL-SA-CONTRIB-2017-070
* Project: Commerce Invoices (third-party module)
* Version: 7.x
* Date: 2017-August-30
* Security risk: 20/25 ( Highly Critical)
* Vulnerability: Cross Site Scripting, SQL Injection

DESCRIPTION

Commerce Invoices allows you to enter an Invoice number, Company name and
Amount and it will generate an Invoice that the client can pay on your site
using any payment method supported by Drupal commerce.

SQL INJECTION

The module did not properly use Drupal's database API when querying the
database with user supplied values, allowing an attacker to send a specially
crafted request to modify the query or potentially perform additional
queries.

The vulnerability is mitigated by the fact that the attacker must have the
'access checkout' permission - this permission is commonly granted.

STORED CROSS SITE SCRIPTING (XSS)

The module did not filter user-supplied text prior to printing that text back
to users of the site.

The vulnerability is mitigated by the fact that the attacker must have the
'access checkout' permission - this permission is commonly granted.

VERSIONS AFFECTED

All Commerce invoice versions prior to 7.x-1.1

Drupal core is not affected. If you do not use the contributed Commerce
Invoices module, there is nothing you need to do.

SOLUTION

Install the latest version:

* If you use the Commerce invoice module for Drupal 7.x, upgrade to Commerce invoice 7.x-1.1

Special note: the module's strings have changed. Any site that uses Drupal's
localization system should review and update the translated strings on the
site.

Also see the Commerce Invoices project page: https://www.drupal.org/project/commerce_invoices

Add new comment