Commerce Klarna Checkout - Moderately critical - Access bypass - SA-CONTRIB-2018-062 - Security-news

26 Sep 2018


      View online: https://www.drupal.org/sa-contrib-2018-062
Project: Commerce Klarna Checkout [1]
Version: 7.x-1.4
Date: 2018-September-26
Security risk: *Moderately critical* 13∕25
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Description: 
The Commerce Klarna Checkout module enables you to accept payments from the
Klarna Checkout payment provider
The module doesn't sufficiently validate the payment callback made by Klarna.
An attacker could bypass the payment step.
Solution: 
Install the latest version:
* If you use the Commerce Klarna Checkout module for Drupal 7.x, upgrade to
     Commerce Klarna Checkout 7.x-1.5 [3]
Also see the Commerce Klarna Checkout [4] project page.
Reported By: 
   * Josef Gullström  [5]
Fixed By: 
   * Eirik Morland  [6]
   * Josef Gullström  [7]
Coordinated By: 
   * Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/commerce_klarna_checkout
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/commerce_klarna_checkout/releases/7.x-1.5
[4] https://www.drupal.org/project/commerce_klarna_checkout
[5] https://www.drupal.org/user/2400268
[6] https://www.drupal.org/user/1014468
[7] https://www.drupal.org/user/2400268
[8] https://www.drupal.org/user/32672