Advisory ID: 
BACKDROP-SA-CONTRIB-2019-003
Date: 
Thursday, Mar 7th, 2019
Vulnerability: 
Cross Site Request Forgery
Versions affected: 
  • Ubercart 1.x.x versions prior to 1.x-1.0.4-beta

The Ubercart module provides a shopping cart and e-commerce features for Backdrop CMS.

The taxes module doesn't sufficiently protect the tax rate cloning feature. A malicious user could trick a store administrator into duplicating an existing tax rate by getting them to visit a specially-crafted URL.

Solution: 

Upgrade your site to the most recent version of Ubercart. Download available on the Ubercart 1.x-1.0.4-beta release page.  See the update instructions, if needed.

Reported By: 
Fixed By: 
Coordinated By: