MidnightBSD

Advisories for ubercart

CVE-2009-4771 MEDIUM

The PayPal Website Payments Standard functionality in the Ubercart module 5.x before 5.x-1.9 and 6.x before 6.x-2.1 for Drupal does not properly validate orders, which allows remote attackers to trigger unspecified "duplicate actions" via unknown vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
ubercart ubercart 5.x-1.1
ubercart ubercart 5.x-1.5
ubercart ubercart 5.x-1.4
ubercart ubercart 5.x-1.8
ubercart ubercart 6.x-2.0
ubercart ubercart 5.x-1.6
ubercart ubercart 5.x-1.2
ubercart ubercart 5.x-1.3
ubercart ubercart 5.x-1.0
ubercart ubercart 5.x-1.7
CVE-2009-4772 MEDIUM

Unspecified vulnerability in the PayPal Website Payments Standard functionality in the Ubercart module 5.x before 5.x-1.9 and 6.x before 6.x-2.1 for Drupal, when a custom checkout completion message is enabled, allows attackers to obtain sensitive information via unknown vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
ubercart ubercart 5.x-1.1
ubercart ubercart 5.x-1.5
ubercart ubercart 5.x-1.4
ubercart ubercart 5.x-1.8
ubercart ubercart 6.x-2.0
ubercart ubercart 5.x-1.6
ubercart ubercart 5.x-1.2
ubercart ubercart 5.x-1.3
ubercart ubercart 5.x-1.0
ubercart ubercart 5.x-1.7
CVE-2009-4773 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the order-management functionality in the Ubercart module 5.x before 5.x-1.9 and 6.x before 6.x-2.1 for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
ubercart ubercart 5.x-1.1
ubercart ubercart 5.x-1.5
ubercart ubercart 5.x-1.4
ubercart ubercart 5.x-1.8
ubercart ubercart 6.x-2.0
ubercart ubercart 5.x-1.6
ubercart ubercart 5.x-1.2
ubercart ubercart 5.x-1.3
ubercart ubercart 5.x-1.0
ubercart ubercart 5.x-1.7
CVE-2012-5802 MEDIUM

The PayPal module in Ubercart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
paypal paypal -
ubercart ubercart -
CVE-2012-5803 MEDIUM

The Authorize.Net module in Ubercart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
irata authorize.net_module -
ubercart ubercart -
CVE-2012-5804 MEDIUM

The CyberSource module in Ubercart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
cybersource_module_project cybersource -
ubercart ubercart -
CVE-2013-0322 MEDIUM

Cross-site scripting (XSS) vulnerability in Views in the Ubercart module 7.x-3.x before 7.x-3.4 for Drupal allows remote attackers to inject arbitrary web script or HTML via the full name field.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
ubercart ubercart 7.x-3.1
ubercart ubercart 7.x-3.3
ubercart ubercart 7.x-3.0
ubercart ubercart 7.x-3.2
CVE-2013-7302 MEDIUM

Session fixation vulnerability in the Ubercart module 6.x-2.x before 6.x-2.13 and 7.x-3.x before 7.x-3.6 for Drupal, when the "Log in new customers after checkout" option is enabled, allows remote attackers to hijack web sessions by leveraging knowledge of the original session ID.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
ubercart ubercart 7.x-3.1
ubercart ubercart 6.x-2.10
ubercart ubercart 6.x-2.8
ubercart ubercart 7.x-3.3
ubercart ubercart 7.x-3.0
ubercart ubercart 6.x-2.11
ubercart ubercart 7.x-3.2
ubercart ubercart 6.x-2.9
ubercart ubercart 7.x-3.5
ubercart ubercart 6.x-2.1
ubercart ubercart 6.x-2.12
ubercart ubercart 6.x-2.7
ubercart ubercart 6.x-2.6
ubercart ubercart 6.x-2.0
ubercart ubercart 6.x-2.2
ubercart ubercart 6.x-2.3
ubercart ubercart 7.x-3.4
ubercart ubercart 6.x-2.4
CVE-2014-9026 MEDIUM

The Ubercart module 7.x-3.x before 7.x-3.7 for Drupal does not properly protect the per-user order history view, which allows remote authenticated users with the "view own orders" permission to obtain sensitive information via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
ubercart ubercart 7.x-3.1
ubercart ubercart 7.x-3.5
ubercart ubercart 7.x-3.x-dev
ubercart ubercart 7.x-3.3
ubercart ubercart 7.x-3.7
ubercart ubercart 7.x-3.0
ubercart ubercart 7.x-3.4
ubercart ubercart 7.x-3.2
ubercart ubercart 7.x-3.6