CVE-2014-9025 Information

Description

The default checkout completion rule in the commerce_order module in the Drupal Commerce module 7.x-1.x before 7.x-1.10 for Drupal uses the email address as the username for new accounts created at checkout which allows remote attackers to obtain sensitive information via unspecified vectors.

Reference

https://www.drupal.org/node/2336327 https://www.drupal.org/node/2336357