CVE-2018-19249

Name of the Vulnerable Software and Affected Versions Stripe API v1

Description The issue allows remote attackers to bypass intended access restrictions. This is achieved by replaying XMLHttpRequest data to the API endpoint "/v1/tokens" on api.stripe.com, then parsing the response under the object card{}, and reading the cvc check information if the creation is successful without charging the actual card used in the transaction.

Recommendations For Stripe API v1, as a temporary workaround, consider restricting access to the /v1/tokens API endpoint until a patch is available. Avoid using the cvc check information in the response under the card{} object until the issue is resolved.