2.0.0

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

PARTIAL

Availability impact

NONE

network

low complexity

paymorrow

NVD

Published: 2018-08-20

Updated: 2019-10-03

Summary

An issue was discovered in the Paymorrow module 1.0.0 before 1.0.2 and 2.0.0 before 2.0.1 for OXID eShop. An attacker can bypass delivery-address change detection if the payment module doesn't use eShop's checkout procedure properly. To do so, the attacker must change the delivery address to one that is not verified by the Paymorrow module.

Vulnerable Configurations

Part	Description	Count
Application	Paymorrow Paymorrow Paymorrow 1.0.0 Paymorrow Paymorrow 1.0.2 Paymorrow Paymorrow 2.0.0	3

References

https://bugs.oxid-esales.com/view.php?id=6801
https://oxidforge.org/en/security-bulletin-2018-003.html