Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2020-May-27
Vulnerability:
Access bypass
Affected versions:
<2.18.0
Description:
Drupal Commerce is used to build eCommerce websites and applications. It's possible to configure commerce to permit orders by anonymous users. In this configuration, customers who do not choose to create an account upon checkout completion remain anonymous, and the resulting orders are never assigned an owner.
When anonymous users are granted the "View own orders" permission, they are able to see any such anonymous order via direct navigation to its view page. The module does not include extra access control necessary to ensure anonymous users are only able to view their own previously placed orders.
This vulnerability is mitigated by the fact that a site must be configured to permit anonymous checkout and an attacker must be an anonymous user with the permission "View own orders".
Solution:
Install the latest version:
- If you use Commerce for Drupal 8.x upgrade to Commerce 2.18
Also see the Drupal Commerce project page.
Reported By:
Fixed By:
- Alex Pott of the Drupal Security Team
- Matt Glaman
- Joe Kersey
Coordinated By:
- Greg Knaddison of the Drupal Security Team
