CVE-2022-29254: 
PHP vulnerability analysis and mitigation

CVE-2022-29254 affects silverstripe-omnipay, a SilverStripe integration with Omnipay PHP payments library. The vulnerability was disclosed on June 9, 2022, and impacts multiple versions of the software including versions prior to 2.5.2, 3.0.2, 3.1.4, and 3.2.1. The issue allows payments to be prematurely marked as completed without actual payment processing for certain Omnipay gateways that use intermediary states like isNotification() or isRedirect() (GitHub Advisory, NVD).

The vulnerability stems from improper validation in payment completion handling. It specifically affects gateways that utilize intermediary states through isNotification() or isRedirect() functions. The issue occurs when payment identifiers or success URLs are exposed, allowing unauthorized completion of payment records. The vulnerability has been assigned a CVSS v3.1 base score of 3.7 (LOW) with a vector string of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility but high attack complexity (NVD).

The vulnerability allows attackers to mark payments as completed without actual payment processing when they have access to payment identifiers or success URLs. While the impact is mitigated by most payment gateways that properly hide this information, the risk is elevated when dealing with certain issuing banks that have flawed 3DSecure implementations which may inadvertently expose the sensitive data (GitHub Advisory).

The vulnerability has been patched in versions 2.5.2, 3.0.2, 3.1.4, and 3.2.1. Users are advised to upgrade to these patched versions as there are no known workarounds for this vulnerability (GitHub Advisory).