DRUPAL-CONTRIB-2020-020

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/commerce/DRUPAL-CONTRIB-2020-020.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2020-020
Published
2020-05-27T15:32:52Z
Modified
2025-12-10T23:28:43.491471Z
Summary
[none]
Details

Drupal Commerce is used to build eCommerce websites and applications. It's possible to configure commerce to permit orders by anonymous users. In this configuration, customers who do not choose to create an account upon checkout completion remain anonymous, and the resulting orders are never assigned an owner.

When anonymous users are granted the "View own orders" permission, they are able to see any such anonymous order via direct navigation to its view page. The module does not include extra access control necessary to ensure anonymous users are only able to view their own previously placed orders.

This vulnerability is mitigated by the fact that a site must be configured to permit anonymous checkout and an attacker must be an anonymous user with the permission "View own orders".

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/commerce

Package

Name
drupal/commerce
Purl
pkg:composer/drupal/commerce

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.18.0
Database specific
{
    "constraint": "<2.18.0"
}

Database specific

affected_versions
"<2.18.0"
source
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/commerce/DRUPAL-CONTRIB-2020-020.json"