CVE-2024-25282

Name of the Vulnerable Software and Affected Versions 3DSecure 2.0 version 3DS Method Authentication

Description The issue concerns a Cross-Site Scripting (XSS) vulnerability in the 3DSMethod Authentication of 3DSecure 2.0. This vulnerability can be exploited via a modified params parameter in a "/rest/online" request that includes a "/redirect?action=challenge&txn=" substring.

Recommendations For 3DSecure 2.0 version 3DS Method Authentication, as a temporary workaround, consider restricting access to the "/rest/online" endpoint until a patch is available. Avoid using the params parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.