Commerce Elavon - Moderately critical - Access bypass - SA-CONTRIB-2022-053 - Security-news

24 Aug 2022


      View online: https://www.drupal.org/sa-contrib-2022-053
Project: Commerce Elavon [1]
Version: 8.x-2.28.x-2.18.x-2.08.x-2.0-beta28.x-2.0-beta17.x-1.47.x-1.37.x-1.27.x-1.17.x-1.0
Date: 2022-August-24
Security risk: *Moderately critical* 11∕25
AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Affected versions: <=2.2.0
Description: 
This module enables you to accept payments from the Elavon payment provider.
The module doesn't sufficiently verify that it's communicating with the
correct server when using the *Elavon (On-site)* payment gateway, which could
lead to leaking valid payment details as well as accepting invalid payment
details.
This vulnerability is mitigated by the fact that an attacker must be able to
spoof the Elavon DNS received by your site.
Solution: 
Install the latest version:
* If you use the Commerce Elavon module for Drupal 8.x/9.x, upgrade to
     Commerce Elavon 8.x-2.3 [3]
   * If you use the Commerce Elavon module version 1.x for Drupal 7.x, upgrade
     to Commerce Elavon 7.x-1.5 [4]
Reported By: 
   * Andy Fowlston [5]
Fixed By: 
   * Andy Fowlston [6]
   * Greg Knaddison [7] of the Drupal Security Team
Coordinated By: 
   * Damien McKenna [8] of the Drupal Security Team
   * Greg Knaddison [9] of the Drupal Security Team
[1] https://www.drupal.org/project/commerce_elavon
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/commerce_elavon/releases/8.x-2.3
[4] https://www.drupal.org/project/commerce_elavon/releases/7.x-1.5
[5] https://www.drupal.org/user/220112
[6] https://www.drupal.org/user/220112
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/108450
[9] https://www.drupal.org/user/36762