Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Drupal Commerce - Moderately critical - Access bypass - SA-CONTRIB-2020-020

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Drupal Commerce - Moderately critical - Access bypass - SA-CONTRIB-2020-020


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Drupal Commerce - Moderately critical - Access bypass - SA-CONTRIB-2020-020
  • Date: Wed, 27 May 2020 16:50:10 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2020-020

Project: Drupal Commerce [1]
Date: 2020-May-27
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Description: 
Drupal Commerce is used to build eCommerce websites and applications. It's
possible to configure commerce to permit orders by anonymous users. In this
configuration, customers who do not choose to create an account upon checkout
completion remain anonymous, and the resulting orders are never assigned an
owner.

When anonymous users are granted the "View own orders" permission, they are
able to see any such anonymous order via direct navigation to its view page.
The module does not include extra access control necessary to ensure
anonymous users are only able to view their own previously placed orders.

This vulnerability is mitigated by the fact that a site must be configured to
permit anonymous checkout and an attacker must be an anonymous user with the
permission "View own orders".

Solution: 
Install the latest version:

* If you use Commerce for Drupal 8.x upgrade to Commerce 2.18 [3]

Also see the Drupal Commerce [4] project page.

Reported By: 
* Joe Kersey [5]
* Honza Pobořil [6]

Fixed By: 
* Alex Pott [7] of the Drupal Security Team
* Matt Glaman [8]
* Joe Kersey [9]

Coordinated By: 
* Greg Knaddison [10] of the Drupal Security Team


[1] https://www.drupal.org/project/commerce
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/commerce/releases/8.x-2.18
[4] https://www.drupal.org/project/commerce
[5] https://www.drupal.org/user/2229066
[6] https://www.drupal.org/user/123612
[7] https://www.drupal.org/user/157725
[8] https://www.drupal.org/user/2416470
[9] https://www.drupal.org/user/2229066
[10] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Drupal Commerce - Moderately critical - Access bypass - SA-CONTRIB-2020-020, security-news, 27.05.2020

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang