"It has been a pleasure to work with Casey, Rick and Phil from Ricochet. We were initially faced with a dip in productivity on our project due to some team member's contributing to DrupalCon Munich. Casey and team were able to step in, ramp up, and start contributing to solutions immediately. When our team members returned from Munich, we decided the Ricochet guys were too valuable and helpful to let go, so we have kept them on as members of the team until launch.
—Suzy Bates, Four Kitchens

Mollie for Drupal - Moderately critical - Faulty payment confirmation logic - SA-CONTRIB-2023-052

Wed, 2023-11-15 06:24 — Anonymous (not verified)

Project: Mollie for DrupalDate: 2023-November-15Security risk: Moderately critical 12∕25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Faulty payment confirmation logicAffected versions: <2.2.1Description: This module enables you to pay online via Mollie.
The module might not properly load the correct order to update the payment status when Mollie redirects to the redirect URL. This can allow an attacker to apply other people's orders to their own, getting credit without paying.
This vulnerability is mitigated by the fact that an attacker must have some knowledge about the module's internal functionality. The issue only affects installations that use the Mollie for Drupal Commerce submodule.Solution: Install the latest version:

If you use the Mollie for Drupal module, upgrade to Mollie for Drupal 2.2.1.

Reported By:

Fixed By:

Coordinated By:

Greg Knaddison of the Drupal Security Team
xjm of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2023-052

Search form

Mollie for Drupal - Moderately critical - Faulty payment confirmation logic - SA-CONTRIB-2023-052