Drupal Commerce Paybox Authentication Bypass Vulnerability

An authentication bypass vulnerability has been identified in the Drupal Commerce Paybox module for Drupal 7, specifically in versions 7.x-1.0 through 7.x-1.5. This vulnerability allows attackers to mark payments as completed and finalize orders without entering a credit card number. The issue arises from improper verification of cryptographic signatures, enabling signature forgery that can be exploited to bypass payment authentication.

Impact

Exploitation of this vulnerability allows for unauthorized completion of payment transactions, potentially leading to fraudulent orders being processed without actual payment.

Remediation

Users can upgrade to Drupal Commerce Paybox version 7.x-1.6, which includes the necessary patch. For those using Drupal 7, the latest version can be downloaded from the Tag1 Consulting release page. Additionally, HeroDevs offers a patched version of this module for their customers.