CVE-2018-14020 – oxid-esales/paymorrow-module

Package

Manager: composer
Name: oxid-esales/paymorrow-module
Vulnerable Version: >=1.0.0 <1.0.2 || >=2.0.0 <2.0.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00202 pctl0.42429

Details

Paymorrow Improper Input Validation vulnerability An issue was discovered in the Paymorrow module 1.0.0 before 1.0.2 and 2.0.0 before 2.0.1 for OXID eShop. An attacker can bypass delivery-address change detection if the payment module doesn't use eShop's checkout procedure properly. To do so, the attacker must change the delivery address to one that is not verified by the Paymorrow module.

Metadata

Created: 2022-05-13T01:49:53Z
Modified: 2024-04-23T17:25:44Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-489x-ccjw-q7c4/GHSA-489x-ccjw-q7c4.json
CWE IDs: []
Alternative ID: GHSA-489x-ccjw-q7c4
Finding: F184
Auto approve: 1