CVSS: 8.1EPSS: 10%CPEs: 2EXPL: 3CVE-2020-8818 – Magento WooCommerce CardGate Payment Gateway 2.0.30 Bypass
https://notcve.org/view.php?id=CVE-2020-8818
An issue was discovered in the CardGate Payments plugin through 2.0.30 for Magento 2. Lack of origin authentication in the IPN callback processing function in Controller/Payment/Callback.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass the payment process (e.g., spoof an order status by manually sending an IPN callback request with a valid signature but without real payment) and/or receive all of the subsequent payments. Se detectó un problema en el plugin CardGate Payments versiones hasta 2.0.30 para Magento 2. Una falta de autenticación de origen en la función de procesamiento de una devolución de llamada IPN en el archivo Controller/Payment/Callback.php, permite a un atacante reemplazar remotamente las configuraciones de plugin criticas (ID del comerciante, clave secreta , etc.) y, por lo tanto, omitir el proceso de pago (por ejemplo, falsificar el estado de un pedido enviando manualmente una petición de devolución de llamada IPN con una firma válida pero sin pago real) y/o recibir todos los pagos posteriores. Magento WooCommerce CardGate Payment Gateway version 2.0.30 suffers from a payment process bypass vulnerability. • http://packetstormsecurity.com/files/156505/Magento-WooCommerce-CardGate-Payment-Gateway-2.0.30-Bypass.html https://github.com/cardgate/magento2/blob/715979e54e1a335d78a8c5586f9e9987c3bf94fd/Controller/Payment/Callback.php#L88-L107 https://github.com/cardgate/magento2/issues/54 • CWE-346: Origin Validation Error •
CVSS: 8.1EPSS: 6%CPEs: 1EXPL: 4CVE-2020-8819 – CardGate Payments for WooCommerce <= 3.1.15 - Lack of Origin Validation
https://notcve.org/view.php?id=CVE-2020-8819
An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass the payment process (e.g., spoof an order status by manually sending an IPN callback request with a valid signature but without real payment) and/or receive all of the subsequent payments. Se detectó un problema en el plugin CardGate Payments versiones hasta 3.1.15 para WooCommerce. Una falta de autenticación de origen en la función de procesamiento de una devolución de llamada IPN en el archivo cardgate/cardgate.php, permite a un atacante reemplazar de remotamente las configuraciones de plugin criticas (ID de comerciante, clave secreta, etc.) y, por lo tanto, omitir el proceso de pago (por ejemplo, falsificar un estado de pedido manualmente enviando una petición de devolución de llamada IPN con una firma válida pero sin pago real) y/o recibir todos los pagos posteriores. WordPress WooCommerce CardGate Payment Gateway plugin version 3.1.15 suffers from a payment process bypass vulnerability. • https://www.exploit-db.com/exploits/48134 http://packetstormsecurity.com/files/156504/WordPress-WooCommerce-CardGate-Payment-Gateway-3.1.15-Bypass.html https://github.com/cardgate/woocommerce/blob/f2111af7b1a3fd701c1c5916137f3ac09482feeb/cardgate/cardgate.php#L426-L442 https://github.com/cardgate/woocommerce/issues/18 https://wpvulndb.com/vulnerabilities/10097 • CWE-346: Origin Validation Error •