CVE-2026-0750
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Drupal is an open-source content management system known for its flexibility, robust features, and strong community support. Organizations of all sizes use it to build and manage dynamic websites and web applications. The Commerce Paybox contributed module allows users to pay through the commercial Paybox service.
The compromised module allows an attacker to craft a return URL to mark a transaction as successful without a real payment. The fix ensures that this is no longer possible.
Signature forgery is a vulnerability that allows attackers to create fraudulent digital signatures that appear legitimate, often by exploiting weaknesses in cryptographic algorithms, improper verification processes (such as CWE-347: Improper Verification of Cryptographic Signature), or flaws in key management and signature validation. This can occur in contexts like JWTs, XML documents, or API tokens where signatures are used to ensure integrity and authenticity, enabling attackers to tamper with data or impersonate entities without the private key. Additional information is available at OWASP: https://owasp.org/Top10/A02_2021-Cryptographic_Failures.
Ramifications include:
- Data tampering
- Unauthorized access
- Identity spoofing
- Malware injection
- Trust erosion, and
- System compromise.
This issue affects all versions of Drupal 7 Commerce Paybox including and below 7.1.5; it is patched in Commerce Paybox NES version 7.1.6.
Details
Module Info
- Product: Drupal
- Affected code: Commerce Paybox module
- Affected versions: >=7.1.0 <=7.1.5
- Project page: http://drupal.org/project/commerce_paybox
- Fixed in: Commerce Paybox NES 7.1.6
Vulnerability Info
This high-severity vulnerability is found in all versions of the Commerce Paybox module equal to or lower than 7.1.5.
This fix adds Paybox signature verification on the offsite return using the Paybox public key (the sig parameter). If the IPN hasn’t confirmed the payment and the gateway returned a non-00000 error, the redirect is rejected.
Addressing the Issue
Users of the affected component(s) can address this exploit in one of the following ways:
- Remove/disable the Paybox payment method from checkout so orders can’t complete through it.
- Restrict the callback endpoints (/commerce_paybox/auto and the return URL) at the reverse proxy/WAF to only known Paybox IPs. Note that this reduces the attack surface but is not a fix.
- Add a temporary reverse-proxy rule to drop callbacks with missing/invalid sig parameters. Note that this reduces the attack surface but is not a fix.
- The only true mitigations are to disable the module and patching it. Consider signing up for post-EOL security support; HeroDevs customers get immediate access to a patched version of this module.
Credits
- David Hernández (defr)
