Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1xZjZxLXFmd3AtdnA0NM0Wcg

High EPSS: 0.00178% (0.401 Percentile) EPSS:
Permalink JSON

Origin Validation Error in Magento 2

Affected Packages Affected Versions Fixed Versions
packagist:cardgate/magento2 < 2.0.33 2.0.33
0 Dependent packages
0 Dependent repositories
9,388 Downloads total

Affected Version Ranges

All affected versions

2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.13, 2.0.14, 2.0.15, 2.0.16, 2.0.17, 2.0.18, 2.0.19, 2.0.20, 2.0.21, 2.0.22, 2.0.23, 2.0.24, 2.0.25, 2.0.26, 2.0.27, 2.0.28, 2.0.29, 2.0.30, 2.0.31, 2.0.32

All unaffected versions

2.0.33, 2.0.34, 2.0.35, 2.0.36, 2.0.37, 2.0.38, 2.0.39, 2.0.40, 2.0.41, 2.0.42, 2.0.43, 2.0.44, 2.0.45, 2.0.46, 2.0.47, 2.0.48, 2.0.49, 2.0.50, 2.0.51, 2.0.52, 2.0.53, 2.0.54, 2.0.55, 2.0.56, 2.0.57, 2.0.58

An issue was discovered in the CardGate Payments plugin through 2.0.30 for Magento 2. Lack of origin authentication in the IPN callback processing function in Controller/Payment/Callback.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass the payment process (e.g., spoof an order status by manually sending an IPN callback request with a valid signature but without real payment) and/or receive all of the subsequent payments.

References:

Identifiers

GHSA-qf6q-qfwp-vp44

CVE-2020-8818

Risk

Severity

High

EPSS

EPSS Percentage: 0.00178

EPSS Percentile: 0.401

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/cardgate/magento2

Date and time

Published

almost 4 years ago

Updated

over 2 years ago

API

JSON