The Stripe API v1 allows remote attackers to bypass intended access restrictions by replaying api.stripe.com /v1/tokens XMLHttpRequest data, parsing the response under the object card{}, and reading the cvc_check information if the creation is successful without charging the actual card used in the transaction.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2019-01-03T22:00:00
Updated: 2024-08-05T11:30:04.184Z
Reserved: 2018-11-13T00:00:00
Link: CVE-2018-19249
Vulnrichment
No data.
NVD
Status : Modified
Published: 2019-01-03T22:29:00.323
Modified: 2024-11-21T03:57:38.607
Link: CVE-2018-19249
Redhat
No data.