Drupal Commerce Skrill Module Security Bypass Vulnerability

by Carol~ Moderator - 4/4/13 10:47 AM

In Reply to: VULNERABILITIES / FIXES - April 04, 2013 by Carol~ Moderator

Release Date : 2013-04-04

Criticality level : Less critical
Impact : Security Bypass
Where : From remote
Solution Status: Vendor Patch

Software: Drupal Commerce Skrill Module 7.x

Description:
A vulnerability has been reported in the Commerce Skrill module for Drupal, which can be exploited by malicious people to bypass certain security restrictions.

The application does not properly verify access rights when processing Instant payment notifications (IPN) and can be exploited to e.g. forge notifications.

The vulnerability is reported in versions prior to 7.x-1.2.

Solution:
Update to version 7.x-1.2.

Original Advisory:
SA-CONTRIB-2013-040:
http://drupal.org/node/1960338

http://secunia.com/advisories/52823/