[IT-SecNots] [Security-news] Commerce Klarna Checkout - Moderately critical - Access bypass - SA-CONTRIB-2018-062

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2018-062

Project: Commerce Klarna Checkout [1]
Version: 7.x-1.4
Date: 2018-September-26
Security risk: *Moderately critical* 13∕25
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Access bypass

Description: 
The Commerce Klarna Checkout module enables you to accept payments from the
Klarna Checkout payment provider

The module doesn't sufficiently validate the payment callback made by Klarna.
An attacker could bypass the payment step.

Solution: 
Install the latest version:

  * If you use the Commerce Klarna Checkout module for Drupal 7.x, upgrade to
    Commerce Klarna Checkout 7.x-1.5 [3]

Also see the Commerce Klarna Checkout [4] project page.

Reported By: 
  * Josef Gullström  [5]

Fixed By: 
  * Eirik Morland  [6]
  * Josef Gullström  [7]

Coordinated By: 
  * Greg Knaddison [8] of the Drupal Security Team


[1] https://www.drupal.org/project/commerce_klarna_checkout
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/commerce_klarna_checkout/releases/7.x-1.5
[4] https://www.drupal.org/project/commerce_klarna_checkout
[5] https://www.drupal.org/user/2400268
[6] https://www.drupal.org/user/1014468
[7] https://www.drupal.org/user/2400268
[8] https://www.drupal.org/user/32672

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news