User Impersonation Affecting cardgate/magento2 package, versions <2.0.30
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-CARDGATEMAGENTO2-552157
- published 25 Feb 2020
- disclosed 25 Feb 2020
- credit Unknown
Introduced: 25 Feb 2020
CVE-2020-8818 Open this link in a new tabHow to fix?
Upgrade cardgate/magento2
to version 2.0.30 or higher.
Overview
cardgate/magento2 is a CardGate module for Magento 2.
Affected versions of this package are vulnerable to User Impersonation. Lack of origin authentication in the IPN
callback processing function in Controller/Payment/Callback.php
allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.).The attacker can then bypass the payment process (e.g., spoof an order status by manually sending an IPN
callback request with a valid signature but without real payment) and/or receive all of the subsequent payments.