CVE-2018-14020 - OpenCVE

An issue was discovered in the Paymorrow module 1.0.0 before 1.0.2 and 2.0.0 before 2.0.1 for OXID eShop. An attacker can bypass delivery-address change detection if the payment module doesn't use eShop's checkout procedure properly. To do so, the attacker must change the delivery address to one that is not verified by the Paymorrow module.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Paymorrow	Paymorrow

Configuration 1 [-]

OR	cpe:2.3:a:paymorrow:paymorrow:1.0.0:::::oxid_eshop::
	cpe:2.3:a:paymorrow:paymorrow:1.0.2:rc1::::oxid_eshop::*
	cpe:2.3:a:paymorrow:paymorrow:2.0.0:::::oxid_eshop::

No data.

References

Link	Providers
https://bugs.oxid-esales.com/view.php?id=6801
https://oxidforge.org/en/security-bulletin-2018-003.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2018-08-20T22:00:00

Updated: 2024-08-05T09:21:40.828Z

Reserved: 2018-07-12T00:00:00

Link: CVE-2018-14020

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2018-08-20T22:29:00.360

Modified: 2019-10-03T00:03:26.223

Link: CVE-2018-14020

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-02-27T00:00:00", "descriptions": [{"lang": "en", "value": "An issue was discovered in the Paymorrow module 1.0.0 before 1.0.2 and 2.0.0 before 2.0.1 for OXID eShop. An attacker can bypass delivery-address change detection if the payment module doesn't use eShop's checkout procedure properly. To do so, the attacker must change the delivery address to one that is not verified by the Paymorrow module."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-08-20T21:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.oxid-esales.com/view.php?id=6801"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://oxidforge.org/en/security-bulletin-2018-003.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-14020", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in the Paymorrow module 1.0.0 before 1.0.2 and 2.0.0 before 2.0.1 for OXID eShop. An attacker can bypass delivery-address change detection if the payment module doesn't use eShop's checkout procedure properly. To do so, the attacker must change the delivery address to one that is not verified by the Paymorrow module."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://bugs.oxid-esales.com/view.php?id=6801", "refsource": "CONFIRM", "url": "https://bugs.oxid-esales.com/view.php?id=6801"}, {"name": "https://oxidforge.org/en/security-bulletin-2018-003.html", "refsource": "CONFIRM", "url": "https://oxidforge.org/en/security-bulletin-2018-003.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T09:21:40.828Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugs.oxid-esales.com/view.php?id=6801"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://oxidforge.org/en/security-bulletin-2018-003.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-14020", "datePublished": "2018-08-20T22:00:00", "dateReserved": "2018-07-12T00:00:00", "dateUpdated": "2024-08-05T09:21:40.828Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:paymorrow:paymorrow:1.0.0:*:*:*:*:oxid_eshop:*:*", "matchCriteriaId": "A181EF40-6F77-43EE-8580-8CEA3E110411", "vulnerable": true}, {"criteria": "cpe:2.3:a:paymorrow:paymorrow:1.0.2:rc1:*:*:*:oxid_eshop:*:*", "matchCriteriaId": "5D471929-546A-4402-9699-E71B5941A679", "vulnerable": true}, {"criteria": "cpe:2.3:a:paymorrow:paymorrow:2.0.0:*:*:*:*:oxid_eshop:*:*", "matchCriteriaId": "1ADF1BC3-DF72-4BE3-A76A-A8E80EAE7F64", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in the Paymorrow module 1.0.0 before 1.0.2 and 2.0.0 before 2.0.1 for OXID eShop. An attacker can bypass delivery-address change detection if the payment module doesn't use eShop's checkout procedure properly. To do so, the attacker must change the delivery address to one that is not verified by the Paymorrow module."}, {"lang": "es", "value": "Se ha descubierto un problema en el m\u00f3dulo Paymorrow en versiones 1.0.0 anteriores a la 1.0.2 y 2.0.0 anteriores a la 2.0.1 para Oxid eShop. Un atacante puede omitir la detecci\u00f3n de cambios de direcciones de env\u00edo si el m\u00f3dulo de pago no utiliza el procedimiento de verificaci\u00f3n de eShop correctamente. Para ello, el atacante debe cambiar la direcci\u00f3n de entrega a una que no est\u00e9 verificada por el m\u00f3dulo Paymorrow."}], "id": "CVE-2018-14020", "lastModified": "2019-10-03T00:03:26.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-08-20T22:29:00.360", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://bugs.oxid-esales.com/view.php?id=6801"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://oxidforge.org/en/security-bulletin-2018-003.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}