Skip to content


@spencern spencern tagged this 02 Nov 02:03
1. oAuth Service Configuration secrets could be shared with
unauthenticated users via the ServiceConfiguration publication.
Any shops using an oAuth provider such as Facebook, Google, Twitter,
Instagram, or another oAuth provider within Reaction is vulnerable.
Please update your version of Reaction Commerce and invalidate all
oAuth Service Provider secrets used by Reaction Commerce. After
updating to a patched version, generate new secrets for use.

2. Routes could be rendered for unauthenticated users who directly
visited a dashboard url
Assets 2