Commerce Realex Global Payments
Monthly
Incorrect Authorization (CWE-863) in the Drupal Commerce Realex / Global Payments module exposes protected payment and order resources to forceful browsing, allowing unauthenticated remote attackers to access endpoints that should require authorization. All module versions from 0.0.0 through 3.0.2 (exclusive) are affected on Drupal Commerce deployments. No public exploit code has been identified and SSVC confirms no active exploitation at time of analysis, though the nature of a payment gateway module means successful access could expose order or transaction data.
Incorrect Authorization (CWE-863) in the Drupal Commerce Realex / Global Payments module exposes protected payment and order resources to forceful browsing, allowing unauthenticated remote attackers to access endpoints that should require authorization. All module versions from 0.0.0 through 3.0.2 (exclusive) are affected on Drupal Commerce deployments. No public exploit code has been identified and SSVC confirms no active exploitation at time of analysis, though the nature of a payment gateway module means successful access could expose order or transaction data.