Vigil@nce - Drupal Payment for Webform: credit theft
November 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use credits of a Drupal Payment for Webform user,
in order to submit a form.
Impacted products: Drupal Modules
Severity: 2/4
Creation date: 07/11/2013
DESCRIPTION OF THE VULNERABILITY
The Drupal Payment for Webform module requires a payment before
submitting a form.
However, an anonymous attacker can use credits of another
anonymous user.
An attacker can therefore use credits of a Drupal Payment for
Webform user, in order to submit a form.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Drupal-Payment-for-Webform-credit-theft-13718