Security Bulletin 2018-003

The following vulnerability has been identified:

Synopsis

An attacker is able to change the delivery address by bypassing the checkout process when using Paymorrow payment method.

State

  • This security issue was reported to us while working on an incident at a client system.
  • Resolved, patch releases are available. Sorry, no workaround possible.

Impact

By bypassing the checkout process, an attacker can overcome the actual delivery address validation, if the payment module doesn’t use OXID eShop’s checkout procedure properly. In this case it happened to the Paymorrow module which is regularly delivered with OXID eShop compilation.

Affected products, releases and platforms

Products:

  • OXID eShop Enterpise Edition (“EE”)
  • OXID eShop Professional Edition (“PE”)
  • OXID eShop Community Edition (“CE”)

Releases:

  • OXID eShop EE v5.2.3 – v5.3.7
  • OXID eShop PE and CE v4.9.3 – v4.10.7
  • OXID eShop EE, PE and CE v6.0.0 – v6.0.2

Platforms:

  • Named above releases are affected on all platforms

Resolution

The issue has already been resolved in the following releases:

  • OXID eShop Enterprise Edition v6.1.0
  • OXID eShop Professional Edition v6.1.0
  • OXID eShop Community Edition v6.1.0
  • OXID eShop Enterprise Edition v6.0.3
  • OXID eShop Professional Edition v6.0.3
  • OXID eShop Community Edition v6.0.3
  • OXID eShop Enterprise Edition v5.3.8
  • OXID eShop Professional Edition v4.10.8
  • OXID eShop Community Edition v4.10.8

Bug tracker entry (will remain in “private” state until this security bulletin is published): https://bugs.oxid-esales.com/view.php?id=6801

Workarounds

Unfortunately, a workaround cannot be provided.

Credits

Many thanks to our Development Partner digidesk – media solutions who found this security issue and immediately reported it.

Stay up-to-date

To receive upcoming OXID Security Bulletins, please subscribe to the RSS feed: https://oxidforge.org/en/shop/development-security/feed.

How to report security issues

Learn how to report security issues in the Security overview page.

 

0.00 avg. rating (0% score) - 0 votes


Start the discussion at OXID forums