Craft Commerce Information Disclosure Vulnerability in Payments Controller

A vulnerability in Craft Commerce's PaymentsController::actionPay method allows unauthenticated users to access sensitive order information during anonymous payments. This issue affects Craft Commerce versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4. The vulnerability arises because the action retrieves orders by number before fully enforcing authorization. When an order number is provided and the email verification fails, the response includes a serialized order object containing sensitive details such as the customer's email, shipping address, and billing address.

Impact

Exploitation of this vulnerability leads to unauthorized disclosure of sensitive customer order information, including email addresses and shipping and billing addresses.

Reproduction

To reproduce this vulnerability, initiate an anonymous payment in Craft Commerce versions 4.0.0 through 4.10.2 or 5.0.0 through 5.5.4. Provide an order number and allow the email check to fail. The response will include sensitive order data that should not be accessible to unauthenticated users.

Remediation

Users can upgrade to Craft Commerce versions 4.11.0 or 5.6.0 to address this vulnerability.