CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
EPSS
Percentile
69.6%
Drupal Commerce is used to build eCommerce websites and applications of all sizes.
The commerce_order module can be used to create new user accounts where email addresses are used as user names. Since user names are not considered private information in Drupal this is an information disclosure of email addresses.
This vulnerability is mitigated by the fact that the commerce_checkout module must be enabled with the default rule configuration enabled that creates new user accounts when an anonymous user completes the checkout process.
Drupal core is not affected. If you do not use the contributed Drupal Commerce module,
there is nothing you need to do.
Drupal Commerce 1.10 includes an update function that will change all user names on the site that look like email addresses. This can be a disruptive process for some sites and therefore must be enabled explicitly by the update administrator. If you don’t run the default update function you need to make sure yourself that user names are not valid email addresses.
To enable the username cleaning update function, you must set the commerce_checkout_run_update_7103 variable to TRUE
before running update.php
or drush updb
: You can either use $conf['commerce_checkout_run_update_7103'] = TRUE;
in settings.php or drush vset commerce_checkout_run_update_7103 1
.
Then install the latest version:
In case you don’t want to apply the default update function you can just run update.php
without the variable and the update function will be skipped.
Also see the Drupal Commerce project page.
www.drupal.org/contact
www.drupal.org/node/1004778
www.drupal.org/project/commerce
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/user/22211
www.drupal.org/user/262198
www.drupal.org/user/36762
www.drupal.org/user/91990
www.drupal.org/writing-secure-code