CVE-2020-23533

Name of the Vulnerable Software and Affected Versions Union Pay versions up to 1.2.0

Description The issue allows attackers to shop for free in merchants' websites and mobile apps via a crafted authentication code (MAC) generated based on a secret key which is NULL. This is due to an improper verification of cryptographic signature.

Recommendations For Union Pay versions up to 1.2.0, update to a version later than 1.2.0 to resolve the issue. As a temporary workaround, consider implementing additional validation checks for the authentication code (MAC) to prevent exploitation. Restrict access to the vulnerable web-based versions to minimize the risk of exploitation.