8.1

CVE-2020-8819

Exploit

EPSS 0.27%
Published 25.02.2020 02:15:12
Last modified 21.11.2024 05:39:30
Source cve@mitre.org
Teams watchlist Login
Open Login

An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass the payment process (e.g., spoof an order status by manually sending an IPN callback request with a valid signature but without real payment) and/or receive all of the subsequent payments.

Affected products Warnungen 0 Metrics 3 CWE 1 References 8

Data is provided by the National Vulnerability Database (NVD)

Cardgate ≫ Cardgate Payments SwPlatformwoocommerce Version <= 3.1.15

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.27%	0.505

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
nvd@nist.gov	5.5	8	4.9	AV:N/AC:L/Au:S/C:P/I:P/A:N

CWE-346 Origin Validation Error

The product does not properly verify that the source of data or communication is valid.

http://packetstormsecurity.com/files/156504/WordPress-WooCommerce-CardGate-Payment-Gateway-3.1.15-Bypass.html

Third Party Advisory

Exploit

VDB Entry

https://github.com/cardgate/woocommerce/blob/f2111af7b1a3fd701c1c5916137f3ac09482feeb/cardgate/cardgate.php#L426-L442

Third Party Advisory

Exploit

https://github.com/cardgate/woocommerce/issues/18

Third Party Advisory

Exploit

https://wpvulndb.com/vulnerabilities/10097

Third Party Advisory

https://www.exploit-db.com/exploits/48134

Third Party Advisory

Exploit

VDB Entry

https://nvd.nist.gov/vuln/detail/CVE-2020-8819

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-8819

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-8819

EUVD