CVE-2012-1639 - OpenCVE

Multiple cross-site scripting (XSS) vulnerabilities in product/commerce_product.module in the Drupal Commerce module for Drupal before 7.x-1.2 allow remote authenticated users to inject arbitrary web script or HTML via the (1) sku or (2) title parameters.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Commerceguys	Commerce
Drupal	Drupal

Configuration 1 [-]

AND

cpe:2.3:a:drupal:drupal:-:*:*:*:*:*:*:*

OR	cpe:2.3:a:commerceguys:commerce::::::::
	cpe:2.3:a:commerceguys:commerce:7.x-1.0:::::::*
	cpe:2.3:a:commerceguys:commerce:7.x-1.0:alpha1::::::
	cpe:2.3:a:commerceguys:commerce:7.x-1.0:alpha2::::::
	cpe:2.3:a:commerceguys:commerce:7.x-1.0:alpha3::::::
	cpe:2.3:a:commerceguys:commerce:7.x-1.0:alpha4::::::
	cpe:2.3:a:commerceguys:commerce:7.x-1.0:alpha5::::::
	cpe:2.3:a:commerceguys:commerce:7.x-1.0:beta1::::::
	cpe:2.3:a:commerceguys:commerce:7.x-1.0:beta2::::::
	cpe:2.3:a:commerceguys:commerce:7.x-1.0:beta3::::::
	cpe:2.3:a:commerceguys:commerce:7.x-1.0:beta4::::::
	cpe:2.3:a:commerceguys:commerce:7.x-1.0:rc1::::::
	cpe:2.3:a:commerceguys:commerce:7.x-1.0:rc2::::::
	cpe:2.3:a:commerceguys:commerce:7.x-1.x:dev::::::

No data.

References

Link	Providers
http://drupal.org/node/1416824
http://drupalcode.org/project/commerce.git/blobdiff/45bc53875f1675750afe60e709a34c95e3008366..b74cdcd:/modules/product/commerce_product.module
http://osvdb.org/78528
http://secunia.com/advisories/47730
http://www.openwall.com/lists/oss-security/2012/04/07/1
http://www.securityfocus.com/bid/51668
https://exchange.xforce.ibmcloud.com/vulnerabilities/72743

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2012-10-01T20:00:00

Updated: 2024-08-06T19:01:02.891Z

Reserved: 2012-03-12T00:00:00

Link: CVE-2012-1639

Vulnrichment

No data.

NVD

Status : Modified

Published: 2012-10-01T20:55:03.783

Modified: 2017-08-29T01:31:20.397

Link: CVE-2012-1639

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2012-01-25T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in product/commerce_product.module in the Drupal Commerce module for Drupal before 7.x-1.2 allow remote authenticated users to inject arbitrary web script or HTML via the (1) sku or (2) title parameters."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-28T12:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "78528", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/78528"}, {"name": "47730", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/47730"}, {"name": "[oss-security] 20120406 CVE's for Drupal Contrib 2012 001 through 057 (67 new CVE assignments)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2012/04/07/1"}, {"tags": ["x_refsource_MISC"], "url": "http://drupal.org/node/1416824"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://drupalcode.org/project/commerce.git/blobdiff/45bc53875f1675750afe60e709a34c95e3008366..b74cdcd:/modules/product/commerce_product.module"}, {"name": "drupal-commerce-multiple-xss(72743)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72743"}, {"name": "51668", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/51668"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2012-1639", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site scripting (XSS) vulnerabilities in product/commerce_product.module in the Drupal Commerce module for Drupal before 7.x-1.2 allow remote authenticated users to inject arbitrary web script or HTML via the (1) sku or (2) title parameters."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "78528", "refsource": "OSVDB", "url": "http://osvdb.org/78528"}, {"name": "47730", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/47730"}, {"name": "[oss-security] 20120406 CVE's for Drupal Contrib 2012 001 through 057 (67 new CVE assignments)", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2012/04/07/1"}, {"name": "http://drupal.org/node/1416824", "refsource": "MISC", "url": "http://drupal.org/node/1416824"}, {"name": "http://drupalcode.org/project/commerce.git/blobdiff/45bc53875f1675750afe60e709a34c95e3008366..b74cdcd:/modules/product/commerce_product.module", "refsource": "CONFIRM", "url": "http://drupalcode.org/project/commerce.git/blobdiff/45bc53875f1675750afe60e709a34c95e3008366..b74cdcd:/modules/product/commerce_product.module"}, {"name": "drupal-commerce-multiple-xss(72743)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72743"}, {"name": "51668", "refsource": "BID", "url": "http://www.securityfocus.com/bid/51668"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T19:01:02.891Z"}, "title": "CVE Program Container", "references": [{"name": "78528", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/78528"}, {"name": "47730", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/47730"}, {"name": "[oss-security] 20120406 CVE's for Drupal Contrib 2012 001 through 057 (67 new CVE assignments)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2012/04/07/1"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://drupal.org/node/1416824"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://drupalcode.org/project/commerce.git/blobdiff/45bc53875f1675750afe60e709a34c95e3008366..b74cdcd:/modules/product/commerce_product.module"}, {"name": "drupal-commerce-multiple-xss(72743)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72743"}, {"name": "51668", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/51668"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2012-1639", "datePublished": "2012-10-01T20:00:00", "dateReserved": "2012-03-12T00:00:00", "dateUpdated": "2024-08-06T19:01:02.891Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:drupal:drupal:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B1170D-AD33-4C7A-892D-63AC71B032CF", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:commerceguys:commerce:*:*:*:*:*:*:*:*", "matchCriteriaId": "04D29FF2-2D39-4DE7-8965-9DD40B8E27DC", "versionEndIncluding": "7.x-1.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:commerceguys:commerce:7.x-1.0:*:*:*:*:*:*:*", "matchCriteriaId": "36BE5A7F-A97B-41A2-ADE6-F4D64CE7C046", "vulnerable": true}, {"criteria": "cpe:2.3:a:commerceguys:commerce:7.x-1.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "D64B0AFA-E9EE-41F9-81C3-6A6BD039021A", "vulnerable": true}, {"criteria": "cpe:2.3:a:commerceguys:commerce:7.x-1.0:alpha2:*:*:*:*:*:*", "matchCriteriaId": "4261C160-8926-4DAC-B2BC-A63D67305144", "vulnerable": true}, {"criteria": "cpe:2.3:a:commerceguys:commerce:7.x-1.0:alpha3:*:*:*:*:*:*", "matchCriteriaId": "AB5E1423-1492-45CC-83FC-9D4A5A0F98EE", "vulnerable": true}, {"criteria": "cpe:2.3:a:commerceguys:commerce:7.x-1.0:alpha4:*:*:*:*:*:*", "matchCriteriaId": "AD023352-F7CE-4D2C-A21B-8CF34F1450BB", "vulnerable": true}, {"criteria": "cpe:2.3:a:commerceguys:commerce:7.x-1.0:alpha5:*:*:*:*:*:*", "matchCriteriaId": "CDA3BB6E-7F11-49EE-B028-989230DBACDD", "vulnerable": true}, {"criteria": "cpe:2.3:a:commerceguys:commerce:7.x-1.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "0252DCA1-8E3A-4E0A-923C-BC03D32D7C05", "vulnerable": true}, {"criteria": "cpe:2.3:a:commerceguys:commerce:7.x-1.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "2ABE5EA8-E848-48BA-A4D3-235DF0B47923", "vulnerable": true}, {"criteria": "cpe:2.3:a:commerceguys:commerce:7.x-1.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "A93AF10B-0D25-4749-8FE3-91F02F9B7F5A", "vulnerable": true}, {"criteria": "cpe:2.3:a:commerceguys:commerce:7.x-1.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "5BF49E58-1B39-4547-9A7A-F87D45DD05B7", "vulnerable": true}, {"criteria": "cpe:2.3:a:commerceguys:commerce:7.x-1.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "872145E2-7B5D-4147-9A1A-B8F3DE95DADC", "vulnerable": true}, {"criteria": "cpe:2.3:a:commerceguys:commerce:7.x-1.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "8B651A2F-2097-4375-B251-AE354B95D06C", "vulnerable": true}, {"criteria": "cpe:2.3:a:commerceguys:commerce:7.x-1.x:dev:*:*:*:*:*:*", "matchCriteriaId": "31E1F368-B3AD-421E-894D-DFB45B812A4C", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in product/commerce_product.module in the Drupal Commerce module for Drupal before 7.x-1.2 allow remote authenticated users to inject arbitrary web script or HTML via the (1) sku or (2) title parameters."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en el m\u00f3dulo enproduct/commerce_product.module en el m\u00f3dulo Drupal Commerce para Drupal anteriores a v7.x-1.2, permite a atacantes remotos secuestrar la autenticaci\u00f3n de los usuarios para inyectar comandos web o html a trav\u00e9s de los par\u00e1metros (1) sku o (2) title."}], "id": "CVE-2012-1639", "lastModified": "2017-08-29T01:31:20.397", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2012-10-01T20:55:03.783", "references": [{"source": "secalert@redhat.com", "tags": ["Patch", "Vendor Advisory"], "url": "http://drupal.org/node/1416824"}, {"source": "secalert@redhat.com", "url": "http://drupalcode.org/project/commerce.git/blobdiff/45bc53875f1675750afe60e709a34c95e3008366..b74cdcd:/modules/product/commerce_product.module"}, {"source": "secalert@redhat.com", "url": "http://osvdb.org/78528"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/47730"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2012/04/07/1"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/51668"}, {"source": "secalert@redhat.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72743"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}