An issue was discovered in the CardGate Payments plugin through 2.0.30 for Magento 2. Lack of origin authentication in the IPN callback processing function in Controller/Payment/Callback.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass the payment process (e.g., spoof an order status by manually sending an IPN callback request with a valid signature but without real payment) and/or receive all of the subsequent payments.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2020-02-25T01:20:39
Updated: 2024-08-04T10:12:10.502Z
Reserved: 2020-02-10T00:00:00
Link: CVE-2020-8818
Vulnrichment
No data.
NVD
Status : Modified
Published: 2020-02-25T02:15:12.097
Modified: 2024-11-21T05:39:29.997
Link: CVE-2020-8818
Redhat
No data.