[Security-news] Commerce Klarna Checkout - Moderately critical - Access bypass - SA-CONTRIB-2018-062
security-news at drupal.org
security-news at drupal.org
Wed Sep 26 17:06:58 UTC 2018
View online: https://www.drupal.org/sa-contrib-2018-062
Project: Commerce Klarna Checkout [1]
Version: 7.x-1.4
Date: 2018-September-26
Security risk: *Moderately critical* 13∕25
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Description:
The Commerce Klarna Checkout module enables you to accept payments from the
Klarna Checkout payment provider
The module doesn't sufficiently validate the payment callback made by Klarna.
An attacker could bypass the payment step.
Solution:
Install the latest version:
* If you use the Commerce Klarna Checkout module for Drupal 7.x, upgrade to
Commerce Klarna Checkout 7.x-1.5 [3]
Also see the Commerce Klarna Checkout [4] project page.
Reported By:
* Josef Gullström [5]
Fixed By:
* Eirik Morland [6]
* Josef Gullström [7]
Coordinated By:
* Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/commerce_klarna_checkout
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/commerce_klarna_checkout/releases/7.x-1.5
[4] https://www.drupal.org/project/commerce_klarna_checkout
[5] https://www.drupal.org/user/2400268
[6] https://www.drupal.org/user/1014468
[7] https://www.drupal.org/user/2400268
[8] https://www.drupal.org/user/32672
More information about the Security-news
mailing list