The default checkout completion rule in the commerce_order module in the Drupal Commerce module 7.x-1.x before 7.x-1.10 for Drupal uses the email address as the username for new accounts created at checkout, which allows remote attackers to obtain sensitive information via unspecified vectors.
References
Link | Resource |
---|---|
https://www.drupal.org/node/2336357 | Vendor Advisory |
https://www.drupal.org/node/2336327 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
Information
Published : 2014-11-20 09:50
Updated : 2014-11-21 05:02
NVD link : CVE-2014-9025
Mitre link : CVE-2014-9025
JSON object : View
CWE
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
Products Affected
commerceguys
- commerce