CVE-2020-36285

Name of the Vulnerable Software and Affected Versions: Union Pay versions up to 3.3.12

Description: The issue allows attackers to shop for free in merchants' websites and mobile apps by generating a crafted authentication code (MAC) based on a secret key which is NULL. This is due to an improper verification of cryptographic signature.

Recommendations: For Union Pay versions up to 3.3.12, update to a version that properly verifies cryptographic signatures to prevent exploitation. As a temporary workaround, consider implementing additional validation checks for authentication codes to minimize the risk of exploitation.