Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00ODl4LWNjanctcTdjNM4AASsP
Paymorrow Improper Input Validation vulnerability
An issue was discovered in the Paymorrow module 1.0.0 before 1.0.2 and 2.0.0 before 2.0.1 for OXID eShop. An attacker can bypass delivery-address change detection if the payment module doesn't use eShop's checkout procedure properly. To do so, the attacker must change the delivery address to one that is not verified by the Paymorrow module.
Permalink: https://github.com/advisories/GHSA-489x-ccjw-q7c4JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00ODl4LWNjanctcTdjNM4AASsP
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 25 days ago
CVSS Score: 5.3
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Identifiers: GHSA-489x-ccjw-q7c4, CVE-2018-14020
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-14020
- https://bugs.oxid-esales.com/view.php?id=6801
- https://oxidforge.org/en/security-bulletin-2018-003.html
- https://github.com/advisories/GHSA-489x-ccjw-q7c4
Affected Packages
packagist:oxid-esales/paymorrow-module
Dependent packages: 2Dependent repositories: 3
Downloads: 220,735 total
Affected Version Ranges: >= 2.0.0, < 2.0.1, >= 1.0.0, < 1.0.2
Fixed in: 2.0.1, 1.0.2
All affected versions: 2.0.0
All unaffected versions: 1.0.2, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0