Access Control Vulnerability in Stripe API v1
CVE-2018-19249

7.5HIGH

Key Information:

Vendor: Stripe
Status: Stripe Api
Vendor: CVE Published:; 3 January 2019

What is CVE-2018-19249?

The Stripe API version 1 is susceptible to an access control vulnerability that permits remote attackers to bypass intended access restrictions. This is achieved by replaying XMLHttpRequest data to the API endpoint /v1/tokens. If the token creation is successful, attackers can parse the API response to retrieve sensitive information, such as the cvc_check status of a card, without needing to actually charge the card used in the transaction. This exploit could potentially lead to significant unauthorized access to confidential payment data.

References

https://fredmooredamian.blogspot.com/2019/01/improper-aut...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 3, 2019
Vulnerability Reserved
Nov 13, 2018