← Back

CVE-2020-8818

nvd nist
Published: Feb 25, 2020Modified: Nov 21, 2024

JSON object

Loading...
8.1
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Exploitability: 2.8 / Impact: 5.2
Source: NVD

Description

An issue was discovered in the CardGate Payments plugin through 2.0.30 for Magento 2. Lack of origin authentication in the IPN callback processing function in Controller/Payment/Callback.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass the payment process (e.g., spoof an order status by manually sending an IPN callback request with a valid signature but without real payment) and/or receive all of the subsequent payments.

Affected (2)

Cardgate
1 product
Cardgate Payments
Adobe
1 product
Magento
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Cardgate Payments
Up to 2.0.30
Configuration B
1 vulnerable
Vulnerable SoftwareAffected Versions
Magento
Version 2.3.4

Related CWEs

CWE-346
Origin Validation Error
The product does not properly verify that the source of data or communication is valid.

References (6)

Source: cve@mitre.org
ExploitThird Party AdvisoryVDB Entry
Source: cve@mitre.org
ExploitThird Party Advisory
Source: cve@mitre.org
ExploitThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party Advisory

Timeline

No history available yet.