Commerce Elavon - Moderately critical - Access bypass - SA-CONTRIB-2022-053

Project: Commerce ElavonVersion: 8.x-2.28.x-2.18.x-2.08.x-2.0-beta28.x-2.0-beta17.x-1.47.x-1.37.x-1.27.x-1.17.x-1.0Date: 2022-August-24Security risk: Moderately critical 11∕25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <=2.2.0Description: This module enables you to accept payments from the Elavon payment provider.
The module doesn't sufficiently verify that it's communicating with the correct server when using the Elavon (On-site) payment gateway, which could lead to leaking valid payment details as well as accepting invalid payment details.
This vulnerability is mitigated by the fact that an attacker must be able to spoof the Elavon DNS received by your site.Solution: Install the latest version:

Reported By: 

Fixed By: 

Coordinated By: 

Path to article