[Security-news] Drupal Commerce - Moderately critical - Access bypass - SA-CONTRIB-2020-020

[security-news at drupal.org]

View online: https://www.drupal.org/sa-contrib-2020-020

Project: Drupal Commerce [1]
Date: 2020-May-27
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Description: 
Drupal Commerce is used to build eCommerce websites and applications. It's
possible to configure commerce to permit orders by anonymous users. In this
configuration, customers who do not choose to create an account upon checkout
completion remain anonymous, and the resulting orders are never assigned an
owner.

When anonymous users are granted the "View own orders" permission, they are
able to see any such anonymous order via direct navigation to its view page.
The module does not include extra access control necessary to ensure
anonymous users are only able to view their own previously placed orders.

This vulnerability is mitigated by the fact that a site must be configured to
permit anonymous checkout and an attacker must be an anonymous user with the
permission "View own orders".

Solution: 
Install the latest version:

   * If you use Commerce for Drupal 8.x upgrade to Commerce 2.18 [3]

Also see the Drupal Commerce [4] project page.

Reported By: 
   * Joe Kersey  [5]
   * Honza Pobořil  [6]

Fixed By: 
   * Alex Pott  [7] of the Drupal Security Team
   * Matt Glaman  [8]
   * Joe Kersey  [9]

Coordinated By: 
   * Greg Knaddison [10] of the Drupal Security Team


[1] https://www.drupal.org/project/commerce
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/commerce/releases/8.x-2.18
[4] https://www.drupal.org/project/commerce
[5] https://www.drupal.org/user/2229066
[6] https://www.drupal.org/user/123612
[7] https://www.drupal.org/user/157725
[8] https://www.drupal.org/user/2416470
[9] https://www.drupal.org/user/2229066
[10] https://www.drupal.org/user/36762