CVE-2020-8818

Name of the Vulnerable Software and Affected Versions CardGate Payments plugin versions through 2.0.30 for Magento 2

Description The issue is related to the lack of origin authentication in the IPN callback processing function in Controller/Payment/Callback.php. This allows an attacker to remotely replace critical plugin settings, such as merchant ID and secret key, and bypass the payment process. For example, an attacker can spoof an order status by manually sending an IPN callback request with a valid signature but without real payment, and/or receive all of the subsequent payments.

Recommendations For CardGate Payments plugin versions through 2.0.30, consider disabling the IPN callback processing function in Controller/Payment/Callback.php until a patch is available to prevent remote replacement of critical plugin settings. Restrict access to the Callback.php file to minimize the risk of exploitation. Avoid using the IPN callback request with a valid signature but without real payment until the issue is resolved.