The Stripe API v1 allows remote attackers to bypass intended access restrictions by replaying api.stripe.com /v1/tokens XMLHttpRequest data, parsing the response under the object card{}, and reading the cvc_check information if the creation is successful without charging the actual card used in the transaction.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-01-03T22:00:00

Updated: 2024-08-05T11:30:04.184Z

Reserved: 2018-11-13T00:00:00

Link: CVE-2018-19249

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2019-01-03T22:29:00.323

Modified: 2024-11-21T03:57:38.607

Link: CVE-2018-19249

cve-icon Redhat

No data.