Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2018-January-31
Vulnerability:
Access Bypass
Description:
This module integrates the Sagepay payment service.
Some of the URLs used while processing the payment are not sufficiently secured. This might allow attackers to resume a previously failed payment attempt or to view content that should only be shown after a succesful payment. This affects all payments in a Drupal installation with this module enabled (including payments made using other payment methods).
Solution:
Install the latest version:
- If you use the sagepay_paymet module for Drupal 7.x, upgrade to sagepay_payment 7.x-1.5
Also see the Sagepay project page.
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison of the Drupal Security Team
