Vulnerability Details : CVE-2018-14020
An issue was discovered in the Paymorrow module 1.0.0 before 1.0.2 and 2.0.0 before 2.0.1 for OXID eShop. An attacker can bypass delivery-address change detection if the payment module doesn't use eShop's checkout procedure properly. To do so, the attacker must change the delivery address to one that is not verified by the Paymorrow module.
Products affected by CVE-2018-14020
- cpe:2.3:a:paymorrow:paymorrow:1.0.0:*:*:*:*:oxid_eshop:*:*
- cpe:2.3:a:paymorrow:paymorrow:2.0.0:*:*:*:*:oxid_eshop:*:*
- cpe:2.3:a:paymorrow:paymorrow:1.0.2:rc1:*:*:*:oxid_eshop:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-14020
0.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 43 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-14020
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
3.9
|
1.4
|
NIST |
References for CVE-2018-14020
-
https://bugs.oxid-esales.com/view.php?id=6801
0006801: It is possible to bypass the check for delivery address changes during checkout process - OXID eShop bugtrackVendor Advisory
-
https://oxidforge.org/en/security-bulletin-2018-003.html
Security Bulletin 2018-003 • OXIDforgeVendor Advisory
Jump to