The default checkout completion rule in the commerce_order module in the Drupal Commerce module 7.x-1.x before 7.x-1.10 for Drupal uses the email address as the username for new accounts created at checkout, which allows remote attackers to obtain sensitive information via unspecified vectors.
References
Link | Resource |
---|---|
https://www.drupal.org/node/2336327 | Vendor Advisory |
https://www.drupal.org/node/2336357 | Vendor Advisory |
https://www.drupal.org/node/2336327 | Vendor Advisory |
https://www.drupal.org/node/2336357 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 02:20
Type | Values Removed | Values Added |
---|---|---|
References | () https://www.drupal.org/node/2336327 - Vendor Advisory | |
References | () https://www.drupal.org/node/2336357 - Vendor Advisory |
Information
Published : 2014-11-20 17:50
Updated : 2024-11-21 02:20
NVD link : CVE-2014-9025
Mitre link : CVE-2014-9025
CVE.ORG link : CVE-2014-9025
JSON object : View
Products Affected
commerceguys
- commerce
CWE
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor