5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
29.6%
This module integrates the Skrill online payment services with Drupal Commerce.
When processing Instant payment notifications (IPN), the “Moneybookers enterprise” payment method provided by the Commerce Skrill contributed module does not perform sufficient access checking, potentially allowing forged notifications to be accepted as valid.
The vulnerability is mitigated by the fact that it only affects the “Moneybookers enterprise” payment method.
The “Moneybookers enterprise” payment method provided by the Commerce Skrill contributed module in all versions prior to 7.x-1.2.
Drupal core is not affected. If you do not use the contributed Commerce Skrill (Formerly Moneybookers) module, there is nothing you need to do.
Install the latest version. The “Moneybookers enterprise” payment method now requires the use of the hash security option.
Also see the Commerce Skrill (Formerly Moneybookers) project page.
drupal.org/contact
drupal.org/node/1959998
drupal.org/project/commerce_moneybookers
drupal.org/security-team
drupal.org/security-team/risk-levels
drupal.org/security/secure-configuration
drupal.org/user/262198
drupal.org/user/519520
drupal.org/user/972218
drupal.org/writing-secure-code
www.moneybookers.com/ads/partners/?p=Drupalcommerce
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
29.6%