Miggo Logo

CVE-2018-14020: Paymorrow Improper Input Validation vulnerability

5.3

CVSS Score
3.0

Basic Information

EPSS Score
0.42752%
CWE
-
Published
5/13/2022
Updated
4/23/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
oxid-esales/paymorrow-modulecomposer>= 1.0.0, < 1.0.21.0.2
oxid-esales/paymorrow-modulecomposer>= 2.0.0, < 2.0.12.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided vulnerability descriptions indicate a logic flaw in how the Paymorrow module interacts with OXID eShop's checkout procedure, but no specific function names or code patterns are disclosed in the available references. The core issue appears to be a missing validation step when handling delivery address changes, potentially in payment processing workflows. However, without access to the original codebase, patch diffs, or explicit documentation of affected functions (which are not present in GHSA/NVD descriptions), we cannot confidently identify specific vulnerable functions. The vulnerability stems from architectural integration flaws rather than isolated function-level weaknesses.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in t** P*ymorrow mo*ul* *.*.* ***or* *.*.* *n* *.*.* ***or* *.*.* *or OXI* *S*op. *n *tt**k*r **n *yp*ss **liv*ry-***r*ss ***n** **t**tion i* t** p*ym*nt mo*ul* *o*sn't us* *S*op's ****kout pro***ur* prop*rly. To *o so, t** *t

Reasoning

T** provi*** vuln*r**ility **s*riptions in*i**t* * lo*i* *l*w in *ow t** P*ymorrow mo*ul* int*r**ts wit* OXI* *S*op's ****kout pro***ur*, *ut no sp**i*i* *un*tion n*m*s or *o** p*tt*rns *r* *is*los** in t** *v*il**l* r***r*n**s. T** *or* issu* *pp**r