CVE-2020-8818: 
PHP vulnerability analysis and mitigation

An issue was discovered in the CardGate Payments plugin through version 2.0.30 for Magento 2. The vulnerability, identified as CVE-2020-8818, was disclosed on February 24, 2020. The security flaw exists in the IPN callback processing function within Controller/Payment/Callback.php, which lacks proper origin authentication (NVD, GitHub Issue).

The vulnerability is classified as an Origin Validation Error (CWE-346) with a CVSS v3.1 Base Score of 8.1 (HIGH). The security flaw exists in the callback processing function where the application fails to properly authenticate the origin of requests. The vulnerable code section is located in Controller/Payment/Callback.php between lines 88 and 107, which handles the configuration pull functionality (GitHub Source).

The vulnerability allows an attacker to remotely replace critical plugin settings, including merchant ID and secret key. This can lead to two significant impacts: the ability to bypass the payment process by spoofing order status through manual IPN callback requests with valid signatures but without actual payment, and the potential to hijack and receive all subsequent payments intended for the store (NVD).

The vulnerability was fixed in a subsequent release after version 2.0.30. Users should upgrade their CardGate Payments plugin to a version newer than 2.0.30. The fix was implemented through PR #53 on the CardGate repository (GitHub Issue).