First published: Tue Feb 25 2020(Updated: )
An issue was discovered in the CardGate Payments plugin through 2.0.30 for Magento 2. Lack of origin authentication in the IPN callback processing function in Controller/Payment/Callback.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass the payment process (e.g., spoof an order status by manually sending an IPN callback request with a valid signature but without real payment) and/or receive all of the subsequent payments.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Cardgate Cardgate Payments | <=2.0.30 | |
Adobe Magento | =2.3.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-8818 is a vulnerability in the CardGate Payments plugin through version 2.0.30 for Magento 2.
CVE-2020-8818 has a severity rating of 8.1 (high).
CVE-2020-8818 allows an attacker to remotely replace critical plugin settings in Magento 2, such as the merchant ID and secret key.
The affected software of CVE-2020-8818 includes CardGate Payments plugin version 2.0.30 for Magento 2 and Adobe Magento version 2.3.4.
To fix CVE-2020-8818, apply the latest security patches or updates provided by CardGate Payments and Magento.