Improper verification of a cryptographic signature in Drupal Commerce Paybox allows an attacker to forge payment requests and bypass the authentication controls that normally ensure that only legitimate users can submit transactions. This flaw is classified under CWE-347. The result is that an unauthenticated or unauthorized user can create or modify payment orders without the platform detecting the tampering, potentially causing unauthorized funds to be processed or legitimate funds to be diverted.

The issue affects Drupal Commerce Paybox 7-x-1.0 through 7.X-1.5, which is a module that extends Drupal 7 for e‑commerce transactions. The product is supplied by Verifone and is listed in the CPE catalog as verifone:commerce_paybox. Any installation of the affected module versions on a Drupal 7 site is vulnerable.

The CVSS score of 8.7 indicates a high severity risk. The EPSS score is under 1 %, suggesting low exploitation probability at present, and the flaw is not currently listed in the CISA Known Exploited Vulnerabilities catalog. The most likely attack vector is via the web interface that accepts signed payment data; an attacker would need to obtain a valid cryptographic signature or forge one, but because the signature is not checked correctly, malicious requests can still reach the payment processing logic. If an attacker can construct such requests, the payment bypass can be performed without needing further privileges.