Commerce View Receipt - Moderately critical - Access bypass - SA-CONTRIB-2024-021

Project: Commerce View ReceiptDate: 2024-May-22Security risk: Moderately critical 13∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.0.3Description: The Commerce View Receipts module enables you to view commerce order receipts in the browser.
The module doesn't sufficiently check access permissions, allowing a malicious to view the private information of other customers.Solution: Install the latest version.

Sites may wish to temporarily revoke the "view receipts" permission from most roles until the site can be upgraded to the latest version.Reported By: 

Fixed By: 

Coordinated By: 

Path to article