Commerce Eurobank (Redirect) - Moderately critical - Access bypass - SA-CONTRIB-2025-066

Project:

Commerce Eurobank (Redirect)

Date:

2025-May-21

Security risk:

Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All

Vulnerability:

Access bypass

Affected versions:

<2.1.1

CVE IDs:

CVE-2025-48445

Description:

This module enables you to pay for Commerce order to an environment provided and secured by the bank

The module doesn't sufficiently verify the payment status on canceled orders. An attacker can issue a specially crafted request to update the order status to completed.

Solution:

Install the latest version:

If you use the commerce_eurobank_redirect module for Drupal 8.x, upgrade to commerce_eurobank_redirect 2.1.1

Reported By:

Marios Tsalkidis (silios)

Fixed By:

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team

Contribution record

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Bluesky, or Mastodon or Linkedin.

Contributing organizations for this advisory

The security team is made up of volunteers around the world. The companies above have sponsored time on this release.

Commerce Eurobank (Redirect) - Moderately critical - Access bypass - SA-CONTRIB-2025-066

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community