This module enables you to make credit card payments for Drupal Commerce orders via the Authorize.Net payment gateway using either their SIM (hosted payment page) or DPM (direct post method) mechanisms.
The module doesn’t sufficiently protect against the premature triggering of order completion without successful payment by the manual entry of a specially-constructed URL which contains the correct payment redirect key.
This vulnerability is mitigated by the fact that an attacker must know the format of the redirect URL and the current payment redirect key. It’s also worth noting that orders prematurely completed in this fashion will NOT record a successful payment and thus show an unpaid balance.
Drupal core is not affected. If you do not use the contributed Commerce Authorize.Net SIM/DPM Payment Methods module, there is nothing you need to do.
Install the latest version:
Also see the Commerce Authorize.Net SIM/DPM Payment Methods project page.
cve.mitre.org/
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/project/commerce_authnet_simdpm
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/user/266840
www.drupal.org/user/680072
www.drupal.org/user/96266
www.drupal.org/writing-secure-code