Commerce invoices - Highly Critical - SQL Injection and Cross Site scripting - DRUPAL-SA-CONTRIB-2017-070

Description

Commerce Invoices allows you to enter an Invoice number, Company name and Amount and it will generate an Invoice that the client can pay on your site using any payment method supported by Drupal commerce.

SQL Injection

The module did not properly use Drupal's database API when querying the database with user supplied values, allowing an attacker to send a specially crafted request to modify the query or potentially perform additional queries.

The vulnerability is mitigated by the fact that the attacker must have the 'access checkout' permission - this permission is commonly granted.

Stored Cross Site Scripting (XSS)

The module did not filter user-supplied text prior to printing that text back to users of the site.

The vulnerability is mitigated by the fact that the attacker must have the 'access checkout' permission - this permission is commonly granted.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • All Commerce invoice versions prior to 7.x-1.1

Drupal core is not affected. If you do not use the contributed Commerce Invoices module, there is nothing you need to do.

Solution

Install the latest version:

Special note: the module's strings have changed. Any site that uses Drupal's localization system should review and update the translated strings on the site.

Also see the Commerce Invoices project page.

Reported by

Fixed by

Coordinated by

Updates

A person above was marked as a member of the security team when they were not

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x