[IT-SecNots] [Security-news] Commerce Core - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2021-032

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2021-032

Project: Commerce Core [1]
Date: 2021-September-22
Security risk: *Moderately critical* 14∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Access bypass, Information Disclosure

Description: 
This module provides a system for building an ecommerce solution in their
Drupal site.

The module doesn't sufficiently verify access to profile data in certain
circumstances.

This vulnerability is mitigated by the fact that an attacker must have
permission to perform the checkout operation.

Solution: 
Install the latest version:

  * If you use the Commerce module for Drupal 8.x, upgrade to Commerce
    8.x-2.27 [3]

Reported By: 
  * Sasanka Jandhyala [4]

Fixed By: 
  * Sasanka Jandhyala [5]
  * Matt Glaman [6]
  * Jonathan Sacksick [7]

Coordinated By: 
  * Damien McKenna [8] of the Drupal Security Team


[1] https://www.drupal.org/project/commerce
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/commerce/releases/8.x-2.27
[4] https://www.drupal.org/user/3541248
[5] https://www.drupal.org/user/3541248
[6] https://www.drupal.org/user/2416470
[7] https://www.drupal.org/user/972218
[8] https://www.drupal.org/u/damienmckenna

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news