Homepage
About Snyk

User Impersonation Affecting cardgate/magento2 package, versions <2.0.30

0.0
high

Snyk CVSS

    Attack Complexity Low
    Confidentiality High

    Threat Intelligence

    Exploit Maturity Mature
    EPSS 10.76% (96th percentile)
Expand this section
NVD
8.1 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PHP-CARDGATEMAGENTO2-552157
  • published 25 Feb 2020
  • disclosed 25 Feb 2020
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 25 Feb 2020

CVE-2020-8818 Open this link in a new tab
CWE-346 Open this link in a new tab

How to fix?

Upgrade cardgate/magento2 to version 2.0.30 or higher.

Overview

cardgate/magento2 is a CardGate module for Magento 2.

Affected versions of this package are vulnerable to User Impersonation. Lack of origin authentication in the IPN callback processing function in Controller/Payment/Callback.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.).The attacker can then bypass the payment process (e.g., spoof an order status by manually sending an IPN callback request with a valid signature but without real payment) and/or receive all of the subsequent payments.