CVE-2012-1639: XSS
First published: Mon Oct 01 2012(Updated: )
Multiple cross-site scripting (XSS) vulnerabilities in product/commerce_product.module in the Drupal Commerce module for Drupal before 7.x-1.2 allow remote authenticated users to inject arbitrary web script or HTML via the (1) sku or (2) title parameters.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Drupal Drupal | ||
| Commerceguys Commerce | <=7.x-1.1 | |
| Commerceguys Commerce | =7.x-1.0 | |
| Commerceguys Commerce | =7.x-1.0-alpha1 | |
| Commerceguys Commerce | =7.x-1.0-alpha2 | |
| Commerceguys Commerce | =7.x-1.0-alpha3 | |
| Commerceguys Commerce | =7.x-1.0-alpha4 | |
| Commerceguys Commerce | =7.x-1.0-alpha5 | |
| Commerceguys Commerce | =7.x-1.0-beta1 | |
| Commerceguys Commerce | =7.x-1.0-beta2 | |
| Commerceguys Commerce | =7.x-1.0-beta3 | |
| Commerceguys Commerce | =7.x-1.0-beta4 | |
| Commerceguys Commerce | =7.x-1.0-rc1 | |
| Commerceguys Commerce | =7.x-1.0-rc2 | |
| Commerceguys Commerce | =7.x-1.x-dev |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://drupal.org/node/1416824
- http://drupalcode.org/project/commerce.git/blobdiff/45bc53875f1675750afe60e709a34c95e3008366..b74cdcd:/modules/product/commerce_product.module
- http://osvdb.org/78528
- http://secunia.com/advisories/47730
- http://www.openwall.com/lists/oss-security/2012/04/07/1
- http://www.securityfocus.com/bid/51668
- https://exchange.xforce.ibmcloud.com/vulnerabilities/72743
Frequently Asked Questions
What are the vulnerabilities associated with CVE-2012-1639?
CVE-2012-1639 describes multiple cross-site scripting (XSS) vulnerabilities in the Drupal Commerce module that can be exploited by remote authenticated users.
Which versions of Drupal Commerce are affected by CVE-2012-1639?
CVE-2012-1639 affects Drupal Commerce versions prior to 7.x-1.2.
How can I mitigate the risks from CVE-2012-1639?
To mitigate CVE-2012-1639, upgrade the Drupal Commerce module to version 7.x-1.2 or later.
Can unprivileged users exploit CVE-2012-1639?
No, CVE-2012-1639 can only be exploited by remote authenticated users.
What parameters are involved in the CVE-2012-1639 exploits?
The parameters involved in the CVE-2012-1639 exploits are 'sku' and 'title' within the product/commerce_product.module.
- collector/nvd-index
- vendor/drupal
- canonical/drupal drupal
- vendor/commerceguys
- canonical/commerceguys commerce
- version/commerceguys commerce/7.x-1.1
- version/commerceguys commerce/7.x-1.0
- version/commerceguys commerce/7.x-1.0-alpha1
- version/commerceguys commerce/7.x-1.0-alpha2
- version/commerceguys commerce/7.x-1.0-alpha3
- version/commerceguys commerce/7.x-1.0-alpha4
- version/commerceguys commerce/7.x-1.0-alpha5
- version/commerceguys commerce/7.x-1.0-beta1
- version/commerceguys commerce/7.x-1.0-beta2
- version/commerceguys commerce/7.x-1.0-beta3
- version/commerceguys commerce/7.x-1.0-beta4
- version/commerceguys commerce/7.x-1.0-rc1
- version/commerceguys commerce/7.x-1.0-rc2
- version/commerceguys commerce/7.x-1.x-dev