Potential information disclosure in SimpleCart 2.5.1 and prior

Today we were alerted to an issue where the SimpleCart scGetOrders snippet would show all orders placed by guests when it is accessed by an anonymous user. This has been fixed in SimpleCart 2.5.2 and 2.6.0-rc3 (pre-release).

If you set up a “My Orders” page on your site, but did not protect it to logged in users only, you should update immediately to prevent leaking customer information.

The scGetOrders snippet will now return a new chunk (scOrdersLogin, or the chunk set in the &loginTpl property) when the snippet is accessed by someone that isn’t logged in. This bug was caused by an insufficient check that has not changed since 2013, so we expect all previous versions of SimpleCart to be susceptible to this issue.

This would also be a good time for everyone with a SimpleCart shop to double check their configuration and make sure they’re up-to-date with other fixes as well.

Thanks to Uroš Likar for reporting this issue.