CVE-2012-1639 - OpenCVE

Multiple cross-site scripting (XSS) vulnerabilities in product/commerce_product.module in the Drupal Commerce module for Drupal before 7.x-1.2 allow remote authenticated users to inject arbitrary web script or HTML via the (1) sku or (2) title parameters.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Commerceguys	Commerce
Drupal	Drupal

Configuration 1 [-]

AND

cpe:2.3:a:drupal:drupal:-:*:*:*:*:*:*:*

OR	cpe:2.3:a:commerceguys:commerce::::::::
	cpe:2.3:a:commerceguys:commerce:7.x-1.0:::::::*
	cpe:2.3:a:commerceguys:commerce:7.x-1.0:alpha1::::::
	cpe:2.3:a:commerceguys:commerce:7.x-1.0:alpha2::::::
	cpe:2.3:a:commerceguys:commerce:7.x-1.0:alpha3::::::
	cpe:2.3:a:commerceguys:commerce:7.x-1.0:alpha4::::::
	cpe:2.3:a:commerceguys:commerce:7.x-1.0:alpha5::::::
	cpe:2.3:a:commerceguys:commerce:7.x-1.0:beta1::::::
	cpe:2.3:a:commerceguys:commerce:7.x-1.0:beta2::::::
	cpe:2.3:a:commerceguys:commerce:7.x-1.0:beta3::::::
	cpe:2.3:a:commerceguys:commerce:7.x-1.0:beta4::::::
	cpe:2.3:a:commerceguys:commerce:7.x-1.0:rc1::::::
	cpe:2.3:a:commerceguys:commerce:7.x-1.0:rc2::::::
	cpe:2.3:a:commerceguys:commerce:7.x-1.x:dev::::::

References

Link	Resource
http://drupal.org/node/1416824	Patch Vendor Advisory
http://drupalcode.org/project/commerce.git/blobdiff/45bc53875f1675750afe60e709a34c95e3008366..b74cdcd:/modules/product/commerce_product.module
http://osvdb.org/78528
http://secunia.com/advisories/47730	Vendor Advisory
http://www.openwall.com/lists/oss-security/2012/04/07/1
http://www.securityfocus.com/bid/51668
https://exchange.xforce.ibmcloud.com/vulnerabilities/72743

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2012-10-01T20:00:00

Updated: 2017-08-28T12:57:01

Reserved: 2012-03-12T00:00:00

Link: CVE-2012-1639

JSON object: View

NVD Information

Status : Modified

Published: 2012-10-01T20:55:03.783

Modified: 2017-08-29T01:31:20.397

Link: CVE-2012-1639

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2012-01-25T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in product/commerce_product.module in the Drupal Commerce module for Drupal before 7.x-1.2 allow remote authenticated users to inject arbitrary web script or HTML via the (1) sku or (2) title parameters."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-28T12:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "78528", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/78528"}, {"name": "47730", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/47730"}, {"name": "[oss-security] 20120406 CVE's for Drupal Contrib 2012 001 through 057 (67 new CVE assignments)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2012/04/07/1"}, {"tags": ["x_refsource_MISC"], "url": "http://drupal.org/node/1416824"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://drupalcode.org/project/commerce.git/blobdiff/45bc53875f1675750afe60e709a34c95e3008366..b74cdcd:/modules/product/commerce_product.module"}, {"name": "drupal-commerce-multiple-xss(72743)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72743"}, {"name": "51668", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/51668"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2012-1639", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site scripting (XSS) vulnerabilities in product/commerce_product.module in the Drupal Commerce module for Drupal before 7.x-1.2 allow remote authenticated users to inject arbitrary web script or HTML via the (1) sku or (2) title parameters."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "78528", "refsource": "OSVDB", "url": "http://osvdb.org/78528"}, {"name": "47730", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/47730"}, {"name": "[oss-security] 20120406 CVE's for Drupal Contrib 2012 001 through 057 (67 new CVE assignments)", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2012/04/07/1"}, {"name": "http://drupal.org/node/1416824", "refsource": "MISC", "url": "http://drupal.org/node/1416824"}, {"name": "http://drupalcode.org/project/commerce.git/blobdiff/45bc53875f1675750afe60e709a34c95e3008366..b74cdcd:/modules/product/commerce_product.module", "refsource": "CONFIRM", "url": "http://drupalcode.org/project/commerce.git/blobdiff/45bc53875f1675750afe60e709a34c95e3008366..b74cdcd:/modules/product/commerce_product.module"}, {"name": "drupal-commerce-multiple-xss(72743)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72743"}, {"name": "51668", "refsource": "BID", "url": "http://www.securityfocus.com/bid/51668"}]}}}}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2012-1639", "datePublished": "2012-10-01T20:00:00", "dateReserved": "2012-03-12T00:00:00", "dateUpdated": "2017-08-28T12:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:drupal:drupal:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B1170D-AD33-4C7A-892D-63AC71B032CF", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:commerceguys:commerce:*:*:*:*:*:*:*:*", "matchCriteriaId": "04D29FF2-2D39-4DE7-8965-9DD40B8E27DC", "versionEndIncluding": "7.x-1.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:commerceguys:commerce:7.x-1.0:*:*:*:*:*:*:*", "matchCriteriaId": "36BE5A7F-A97B-41A2-ADE6-F4D64CE7C046", "vulnerable": true}, {"criteria": "cpe:2.3:a:commerceguys:commerce:7.x-1.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "D64B0AFA-E9EE-41F9-81C3-6A6BD039021A", "vulnerable": true}, {"criteria": "cpe:2.3:a:commerceguys:commerce:7.x-1.0:alpha2:*:*:*:*:*:*", "matchCriteriaId": "4261C160-8926-4DAC-B2BC-A63D67305144", "vulnerable": true}, {"criteria": "cpe:2.3:a:commerceguys:commerce:7.x-1.0:alpha3:*:*:*:*:*:*", "matchCriteriaId": "AB5E1423-1492-45CC-83FC-9D4A5A0F98EE", "vulnerable": true}, {"criteria": "cpe:2.3:a:commerceguys:commerce:7.x-1.0:alpha4:*:*:*:*:*:*", "matchCriteriaId": "AD023352-F7CE-4D2C-A21B-8CF34F1450BB", "vulnerable": true}, {"criteria": "cpe:2.3:a:commerceguys:commerce:7.x-1.0:alpha5:*:*:*:*:*:*", "matchCriteriaId": "CDA3BB6E-7F11-49EE-B028-989230DBACDD", "vulnerable": true}, {"criteria": "cpe:2.3:a:commerceguys:commerce:7.x-1.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "0252DCA1-8E3A-4E0A-923C-BC03D32D7C05", "vulnerable": true}, {"criteria": "cpe:2.3:a:commerceguys:commerce:7.x-1.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "2ABE5EA8-E848-48BA-A4D3-235DF0B47923", "vulnerable": true}, {"criteria": "cpe:2.3:a:commerceguys:commerce:7.x-1.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "A93AF10B-0D25-4749-8FE3-91F02F9B7F5A", "vulnerable": true}, {"criteria": "cpe:2.3:a:commerceguys:commerce:7.x-1.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "5BF49E58-1B39-4547-9A7A-F87D45DD05B7", "vulnerable": true}, {"criteria": "cpe:2.3:a:commerceguys:commerce:7.x-1.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "872145E2-7B5D-4147-9A1A-B8F3DE95DADC", "vulnerable": true}, {"criteria": "cpe:2.3:a:commerceguys:commerce:7.x-1.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "8B651A2F-2097-4375-B251-AE354B95D06C", "vulnerable": true}, {"criteria": "cpe:2.3:a:commerceguys:commerce:7.x-1.x:dev:*:*:*:*:*:*", "matchCriteriaId": "31E1F368-B3AD-421E-894D-DFB45B812A4C", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in product/commerce_product.module in the Drupal Commerce module for Drupal before 7.x-1.2 allow remote authenticated users to inject arbitrary web script or HTML via the (1) sku or (2) title parameters."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en el m\u00f3dulo enproduct/commerce_product.module en el m\u00f3dulo Drupal Commerce para Drupal anteriores a v7.x-1.2, permite a atacantes remotos secuestrar la autenticaci\u00f3n de los usuarios para inyectar comandos web o html a trav\u00e9s de los par\u00e1metros (1) sku o (2) title."}], "id": "CVE-2012-1639", "lastModified": "2017-08-29T01:31:20.397", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2012-10-01T20:55:03.783", "references": [{"source": "secalert@redhat.com", "tags": ["Patch", "Vendor Advisory"], "url": "http://drupal.org/node/1416824"}, {"source": "secalert@redhat.com", "url": "http://drupalcode.org/project/commerce.git/blobdiff/45bc53875f1675750afe60e709a34c95e3008366..b74cdcd:/modules/product/commerce_product.module"}, {"source": "secalert@redhat.com", "url": "http://osvdb.org/78528"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/47730"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2012/04/07/1"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/51668"}, {"source": "secalert@redhat.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72743"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}