Description
The default checkout completion rule in the commerce_order module in the Drupal Commerce module 7.x-1.x before 7.x-1.10 for Drupal uses the email address as the username for new accounts created at checkout, which allows remote attackers to obtain sensitive information via unspecified vectors.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://www.drupal.org/node/2336327
Vendor Advisory x_refsource_misc
https://www.drupal.org/node/2336357
Scores
EPSS
0.0117
EPSS Percentile
63.7%
Details
CWE
CWE-200
Status
published
Products (2)
commerceguys/commerce
7.x-1.0 (13 CPE variants)
commerceguys/commerce
7.x-1.1
Published
Nov 20, 2014
Tracked Since
Feb 18, 2026