[security] Anonymous users can reuse credit cards of others when payment token is set to always

Created on 2 August 2023, over 1 year ago

Problem/Motivation

When using the token setting to always store a payment method reference, which only makes sense in combination with custom code that then does something with that (setting up subscriptions in our case), then the ID for anonymous users is not handled correctly, which results in anonymous users being able to reuse stored credit cards.

Reporting this in public because this module is not stable and it's unlikely someone but us used this setting.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report

Status

Fixed

Version

2.0

Component

Code

Created by

🇨🇭Switzerland berdir Switzerland

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @berdir
Assigned to ruvus
Comment over 1 year ago →
🇨🇭Switzerland cola
First commit to issue fork.
@ruvus opened merge request.
Comment over 1 year ago →
System Message

ruvus → committed 31ca351e on 8.x-2.x
Issue #3378683: [security] Anonymous users can reuse credit cards of...
Status changed to Fixed over 1 year ago7:03pm 2 August 2023
Comment over 1 year ago →
🇨🇭Switzerland ruvus Chur
Comment over 1 year ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024