Commerce Engine can be accessed from the client without certificate file

  • The approach to implementation of client authentication in Sitecore Experience Commerce differs from client authentication schemes of other Sitecore products.

    So, to avoid potential vulnerabilities, make sure that all the recommended actions for secure client authentication are applied.

  • To secure a Commerce Engine installation against unauthorized use, consider the measures listed at the following link: Certificate authentication.

  • Sitecore would like to give credit to Ramon Brülisauer and Markus Koller of Namics AG team for the discovery of potential security issues with incorrect implementation of certificate authentication in specific Experience Commerce solutions.

Applies to:

Sitecore Experience Commerce 9.0+

March 04, 2020
April 23, 2020

Reference number:

388017

Keywords: