Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Commerce Elavon - Moderately critical - Access bypass - SA-CONTRIB-2022-053

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Commerce Elavon - Moderately critical - Access bypass - SA-CONTRIB-2022-053


Chronologisch Thread  
    < Chronologisch >       < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Commerce Elavon - Moderately critical - Access bypass - SA-CONTRIB-2022-053
  • Date: Wed, 24 Aug 2022 18:37:19 +0000 (UTC)
  • Authentication-results: mail.piratenpartei.de; dkim=none; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (mail.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::138 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 6B7BA83449
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 7E982833AE
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 3E24A40948
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 8F89D40198
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2022-053

Project: Commerce Elavon [1]
Version: 
8.x-2.28.x-2.18.x-2.08.x-2.0-beta28.x-2.0-beta17.x-1.47.x-1.37.x-1.27.x-1.17.x-1.0
Date: 2022-August-24
Security risk: *Moderately critical* 11∕25
AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Affected versions: <=2.2.0
Description: 
This module enables you to accept payments from the Elavon payment provider.

The module doesn't sufficiently verify that it's communicating with the
correct server when using the *Elavon (On-site)* payment gateway, which could
lead to leaking valid payment details as well as accepting invalid payment
details.

This vulnerability is mitigated by the fact that an attacker must be able to
spoof the Elavon DNS received by your site.

Solution: 
Install the latest version:

* If you use the Commerce Elavon module for Drupal 8.x/9.x, upgrade to
Commerce Elavon 8.x-2.3 [3]
* If you use the Commerce Elavon module version 1.x for Drupal 7.x, upgrade
to Commerce Elavon 7.x-1.5 [4]

Reported By: 
* Andy Fowlston [5]

Fixed By: 
* Andy Fowlston [6]
* Greg Knaddison [7] of the Drupal Security Team

Coordinated By: 
* Damien McKenna [8] of the Drupal Security Team
* Greg Knaddison [9] of the Drupal Security Team


[1] https://www.drupal.org/project/commerce_elavon
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/commerce_elavon/releases/8.x-2.3
[4] https://www.drupal.org/project/commerce_elavon/releases/7.x-1.5
[5] https://www.drupal.org/user/220112
[6] https://www.drupal.org/user/220112
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/108450
[9] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Commerce Elavon - Moderately critical - Access bypass - SA-CONTRIB-2022-053, security-news, 24.08.2022

Archiv bereitgestellt durch MHonArc 2.6.24.

Seitenanfang