{
  "id": "CVE-2018-14020",
  "sourceIdentifier": "cve@mitre.org",
  "published": "2018-08-20T22:29:00.360",
  "lastModified": "2019-10-03T00:03:26.223",
  "vulnStatus": "Analyzed",
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered in the Paymorrow module 1.0.0 before 1.0.2 and 2.0.0 before 2.0.1 for OXID eShop. An attacker can bypass delivery-address change detection if the payment module doesn't use eShop's checkout procedure properly. To do so, the attacker must change the delivery address to one that is not verified by the Paymorrow module."
    },
    {
      "lang": "es",
      "value": "Se ha descubierto un problema en el m\u00f3dulo Paymorrow en versiones 1.0.0 anteriores a la 1.0.2 y 2.0.0 anteriores a la 2.0.1 para Oxid eShop. Un atacante puede omitir la detecci\u00f3n de cambios de direcciones de env\u00edo si el m\u00f3dulo de pago no utiliza el procedimiento de verificaci\u00f3n de eShop correctamente. Para ello, el atacante debe cambiar la direcci\u00f3n de entrega a una que no est\u00e9 verificada por el m\u00f3dulo Paymorrow."
    }
  ],
  "metrics": {
    "cvssMetricV30": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.0",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "accessVector": "NETWORK",
          "accessComplexity": "LOW",
          "authentication": "NONE",
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "availabilityImpact": "NONE",
          "baseScore": 5.0
        },
        "baseSeverity": "MEDIUM",
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": false
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:paymorrow:paymorrow:1.0.0:*:*:*:*:oxid_eshop:*:*",
              "matchCriteriaId": "A181EF40-6F77-43EE-8580-8CEA3E110411"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:paymorrow:paymorrow:1.0.2:rc1:*:*:*:oxid_eshop:*:*",
              "matchCriteriaId": "5D471929-546A-4402-9699-E71B5941A679"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:paymorrow:paymorrow:2.0.0:*:*:*:*:oxid_eshop:*:*",
              "matchCriteriaId": "1ADF1BC3-DF72-4BE3-A76A-A8E80EAE7F64"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://bugs.oxid-esales.com/view.php?id=6801",
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ]
    },
    {
      "url": "https://oxidforge.org/en/security-bulletin-2018-003.html",
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ]
    }
  ]
}