Edx just released a security fix for the ecommerce service
The patch removes the public access to the ecommerce catalogue directory and it’s content. A user before the fix can take advantage of the visibility and use any edx course coupons to checkout enrollment seats.
Please see the fix here https://github.com/edx/ecommerce/commit/5ddce0941bc9521bd52b0bd68d531daf04500942
Thanks, and please let us know if you have any questions!