High severityNVD Advisory· Published Feb 25, 2020· Updated Aug 4, 2024
CVE-2020-8818
CVE-2020-8818
Description
An issue was discovered in the CardGate Payments plugin through 2.0.30 for Magento 2. Lack of origin authentication in the IPN callback processing function in Controller/Payment/Callback.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass the payment process (e.g., spoof an order status by manually sending an IPN callback request with a valid signature but without real payment) and/or receive all of the subsequent payments.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cardgate/magento2Packagist | < 2.0.33 | 2.0.33 |
Affected products
2- Magento/CardGate Payments plugindescription
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-qf6q-qfwp-vp44ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-8818ghsaADVISORY
- packetstormsecurity.com/files/156505/Magento-WooCommerce-CardGate-Payment-Gateway-2.0.30-Bypass.htmlghsax_refsource_MISCWEB
- github.com/cardgate/magento2/blob/715979e54e1a335d78a8c5586f9e9987c3bf94fd/Controller/Payment/Callback.phpghsax_refsource_MISCWEB
- github.com/cardgate/magento2/issues/54ghsax_refsource_MISCWEB
- github.com/cardgate/magento2/releases/tag/v2.0.33ghsaWEB
News mentions
0No linked articles in our index yet.