Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2024-May-22
Vulnerability:
Access bypass
Affected versions:
<1.0.3
CVE IDs:
CVE-2024-13257
Description:
The Commerce View Receipts module enables you to view commerce order receipts in the browser.
The module doesn't sufficiently check access permissions, allowing an unauthorised user to view the private information of other customers.
Solution:
Install the latest version.
- If you use the Commerce View Receipts module for Drupal, upgrade to Commerce View Receipts 1.0.3.
Sites may wish to temporarily revoke the "view receipts" permission from most roles until the site can be upgraded to the latest version.
Reported By:
Fixed By:
- Norman Kämper-Leymann
- Greg Mack
- Greg Knaddison of the Drupal Security Team
- Drew Webber of the Drupal Security Team
Coordinated By:
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
- xjm of the Drupal Security Team
