UC Profile Moderately Critical Information Disclosure Vulnerabilities
21 Feb. 2016
Summary
The UC Profile module 6.x-1.x before 6.x-1.3 for Drupal does not properly check access to profiles in certain circumstances, which might allow remote attackers to obtain sensitive information from the anonymous user profile
Vulnerable Systems:
* The UC Profile module 6.x-1.x before 6.x-1.3
Immune Systems:
* The UC Profile module after 6.x-1.3
UC Profile module enables you to collect profile fields for users during the checkout process of Ubercart as a checkout pane. The module doesn't sufficiently check access to profiles under certain circumstances. Depending on the information being collected, sensitive data may be exposed. This vulnerability is mitigated by the fact that only sites that store data to the anonymous user's profile are affected.