[IT-SecNots] [Security-news] Mollie for Drupal - Moderately critical - Faulty payment confirmation logic - SA-CONTRIB-2023-052

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2023-052

Project: Mollie for Drupal [1]
Date: 2023-November-15
Security risk: *Moderately critical* 12∕25
AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Faulty payment confirmation logic

Affected versions: <2.2.1
Description: 
This module enables you to pay online via Mollie.

The module might not properly load the correct order to update the payment
status when Mollie redirects to the redirect URL. This can allow an attacker
to apply other people's orders to their own, getting credit without paying.

This vulnerability is mitigated by the fact that an attacker must have some
knowledge about the module's internal functionality. The issue only affects
installations that use the Mollie for Drupal Commerce submodule.

Solution: 
Install the latest version:

  * If you use the Mollie for Drupal module, upgrade to Mollie for Drupal
    2.2.1 [3].

Reported By: 
  * Rico Van de Vin [4]
  * Norbert Arends [5]

Fixed By: 
  * Rico Van de Vin [6]
  * hoporr [7]
  * Norbert Arends [8]

Coordinated By: 
  * Greg Knaddison [9] of the Drupal Security Team
  * xjm [10] of the Drupal Security Team


[1] https://www.drupal.org/project/mollie
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/mollie/releases/2.2.1
[4] https://www.drupal.org/user/1243726
[5] https://www.drupal.org/user/660798
[6] https://www.drupal.org/user/1243726
[7] https://www.drupal.org/user/444070
[8] https://www.drupal.org/user/660798
[9] https://www.drupal.org/user/36762
[10] https://www.drupal.org/u/xjm

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news