Vulnerability from drupal
Published
2026-06-24 18:40
Modified
2026-06-25 07:10
Summary
Details

This module enables you to take payments through the Global Payments / Realex Hosted Payment Page (HPP), either via a lightbox iframe or via a full-page redirect.

When the gateway is configured with the redirect payment method, the module doesn't sufficiently verify the authenticity of the payment response returned by Global Payments.

The lightbox payment method validates the signature and is not affected, so sites that use the lightbox payment method are not affected.

Credits
Bill Seremetis (bserem) www.drupal.org/u/bserem

{
  "affected": [
    {
      "database_specific": {
        "affected_versions": "\u003c3.0.2"
      },
      "package": {
        "ecosystem": "Packagist:https://packages.drupal.org/8",
        "name": "drupal/commerce_realex"
      },
      "ranges": [
        {
          "database_specific": {
            "constraint": "\u003c3.0.2"
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": []
    }
  ],
  "aliases": [
    "CVE-2026-13238"
  ],
  "credits": [
    {
      "contact": [
        "https://www.drupal.org/u/bserem"
      ],
      "name": "Bill Seremetis (bserem)"
    }
  ],
  "details": "This module enables you to take payments through the Global Payments / Realex Hosted Payment Page (HPP), either via a lightbox iframe or via a full-page redirect.\n\nWhen the gateway is configured with the **redirect** payment method, the module doesn\u0027t sufficiently verify the authenticity of the payment response returned by Global Payments.\n\nThe **lightbox** payment method validates the signature and is not affected, so sites that use the lightbox payment method are not affected.",
  "id": "DRUPAL-CONTRIB-2026-058",
  "modified": "2026-06-25T07:10:08.000Z",
  "published": "2026-06-24T18:40:07.000Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2026-058"
    }
  ],
  "schema_version": "1.7.0"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…