[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] CVE-2024-25286 - RedSys - A Cross-Site Request Forgery (CSRF) vulnerability was identified in the Authorization Method of 3DSecure 2.0

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] CVE-2024-25286 - RedSys - A Cross-Site Request Forgery (CSRF) vulnerability was identified in the Authorization Method of 3DSecure 2.0
From: RUBEN LOPEZ HERRERA <ruben.lopezherrera@xxxxxxxxxxxxxx>
Date: Tue, 10 Sep 2024 12:15:22 +0000

Product: 3DSecure 2.0
Manufacturer: Redsys
Affected Version(s): 3DSecure 2.0 3DS Authorization Method
Tested Version(s): 3DSecure 2.0 3DS Authorization Method
Vulnerability Type: Cross-Site Request Forgery (CSRF)
Risk Level: Medium
Solution Status: Not yet fixed
Manufacturer Notification: 2024-01-17
Solution Date: N/A
Public Disclosure: 2024-09-17
CVE Reference: CVE-2024-25286

Overview:
A Cross-Site Request Forgery (CSRF) vulnerability was identified in the 
Authorization Method of 3DSecure 2.0, allowing attackers to submit unauthorized 
form data by modifying the HTTP Origin and Referer headers.

Vulnerability Details:
By altering the Origin and Referer headers, attackers can trick the server into 
processing unauthorized transactions.

Solution:
No solution is currently available. Redsys has been notified.

References:
OWASP Web Security Testing Guide: CSRF

Discoverer:
Reported by Rubén López Herrera

________________________________

Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede 
contener información privilegiada o confidencial y es para uso exclusivo de la 
persona o entidad de destino. Si no es usted. el destinatario indicado, queda 
notificado de que la lectura, utilización, divulgación y/o copia sin 
autorización puede estar prohibida en virtud de la legislación vigente. Si ha 
recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente 
por esta misma vía y proceda a su destrucción.

The information contained in this transmission is confidential and privileged 
information intended only for the use of the individual or entity named above. 
If the reader of this message is not the intended recipient, you are hereby 
notified that any dissemination, distribution or copying of this communication 
is strictly prohibited. If you have received this transmission in error, do not 
read it. Please immediately reply to the sender that you have received this 
communication in error and then delete it.

Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode 
conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa 
ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica 
notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização 
pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem 
por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e 
proceda a sua destruição
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Prev by Date: [FD] CVE-2024-25285 - RedSys - 3DSecure 2.0 is vulnerable to form action hijacking
Next by Date: [FD] APPLE-SA-09-16-2024-1 iOS 18 and iPadOS 18
Previous by thread: [FD] CVE-2024-25285 - RedSys - 3DSecure 2.0 is vulnerable to form action hijacking
Next by thread: [FD] APPLE-SA-09-16-2024-1 iOS 18 and iPadOS 18
Index(es):
- Date
- Thread