Commerce Paybox - Moderately Critical - Payment bypass vulnerability

Description

The Commerce Paybox module integrates with Verifone e-commerce for accepting online payments.

The module has a vulnerability that could be exploited to mark a payment as done and flag an order as completed, without the user actually entering a credit card number.

There is no known mitigation for this vulnerability.

Solution

Install the latest version.

If you use the Commerce Paybox module for Drupal 7, upgrade to Commerce Paybox 7.x-1.6:

• commerce_paybox-7.x-1.6.tar.gz
• commerce_paybox-7.x-1.6.zip

Reported by

• DeFr

Fixed by

• Hải Nam Nguyễn (jcisio)
• Tag1 D7ES

Coordinated by

• Dan Smith (galooph) of the Drupal Security Team
• Tag1 D7ES