Date: 
Tuesday, Oct 8th, 2019
Security risk: 
Moderately Critical
Advisory ID: 
BACKDROP-SA-CONTRIB-2019-012
Vulnerability: 
Cross Site Scripting
Versions affected: 

The Ubercart module provides a shopping cart and e-commerce features for Backdrop CMS.

The order submodule doesn't sufficiently sanitize user input when displayed on an invoice, leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "edit orders".

Solution: 

Upgrade your site to the most recent version of the Ubercart module. See the update instructions, if needed.

Reported By: 
Fixed By: 
Coordinated By: 

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  • Log in to backdropcms.org
  • Edit your profile
  • Scroll down to the "Email notifications" section
  • Check the box labeled "Receive BackdropCMS.org security announcements for core and contrib projects"