Commerce 0.10.3: important security fix

We’ve just released Commerce 0.10.3 which contains an important security fix. Before disclosing the exact details, we wanted to give you chance to update your Commerce sites first.

What you need to know right now:

  • When abused, certain customer information may be leaked
  • All versions prior to 0.10.3 are vulnerable
  • The attack is trivial to pull off with no possible prevention measures, other than upgrading to 0.10.3 - attackers do not need any special access to a website

In about four weeks time (on February 12th), we’ll share more information about the nature of the vulnerability.

We discovered the vulnerability while working on an improvement for 0.11 last week. While we are not aware of this attack having been used in the wild, we are notifying all Commerce users by email shortly to urge immediate updates as the risk is high (CVSS 8.2).

Update: in February, we published the full disclosure which includes more details of what happened.