[Security-news] Commerce Elavon - Moderately critical - Access bypass - SA-CONTRIB-2022-053
security-news at drupal.org
security-news at drupal.org
Wed Aug 24 18:37:19 UTC 2022
View online: https://www.drupal.org/sa-contrib-2022-053
Project: Commerce Elavon [1]
Version: 8.x-2.28.x-2.18.x-2.08.x-2.0-beta28.x-2.0-beta17.x-1.47.x-1.37.x-1.27.x-1.17.x-1.0
Date: 2022-August-24
Security risk: *Moderately critical* 11∕25
AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Affected versions: <=2.2.0
Description:
This module enables you to accept payments from the Elavon payment provider.
The module doesn't sufficiently verify that it's communicating with the
correct server when using the *Elavon (On-site)* payment gateway, which could
lead to leaking valid payment details as well as accepting invalid payment
details.
This vulnerability is mitigated by the fact that an attacker must be able to
spoof the Elavon DNS received by your site.
Solution:
Install the latest version:
* If you use the Commerce Elavon module for Drupal 8.x/9.x, upgrade to
Commerce Elavon 8.x-2.3 [3]
* If you use the Commerce Elavon module version 1.x for Drupal 7.x, upgrade
to Commerce Elavon 7.x-1.5 [4]
Reported By:
* Andy Fowlston [5]
Fixed By:
* Andy Fowlston [6]
* Greg Knaddison [7] of the Drupal Security Team
Coordinated By:
* Damien McKenna [8] of the Drupal Security Team
* Greg Knaddison [9] of the Drupal Security Team
[1] https://www.drupal.org/project/commerce_elavon
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/commerce_elavon/releases/8.x-2.3
[4] https://www.drupal.org/project/commerce_elavon/releases/7.x-1.5
[5] https://www.drupal.org/user/220112
[6] https://www.drupal.org/user/220112
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/108450
[9] https://www.drupal.org/user/36762
More information about the Security-news
mailing list