Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2021-September-22
Vulnerability:
Access bypass, Information Disclosure
Affected versions:
<2.27.0
Description:
This module provides a system for building an ecommerce solution in their Drupal site.
The module doesn't sufficiently verify access to profile data in certain circumstances.
This vulnerability is mitigated by the fact that an attacker must have permission to perform the checkout operation.
Solution:
Install the latest version:
- If you use the Commerce module for Drupal 8.x, upgrade to Commerce 8.x-2.27
Reported By:
Fixed By:
Coordinated By:
- Damien McKenna of the Drupal Security Team
