kukuxumushi/CVE-2021-28110

## CVE-2021-28110
CVE-2021-28110

 [Description]
 TranzWare e-Commerce Payment Gateway (TWEC PG) before 3.1.27.5 had a vulnerability in XML-parser that was fixed with a notification sent to customers using TWEC PG.

 ------------------------------------------

 [Additional Information]
 During penetration testing of our clients' infrastructure, we discovered several vulnerabilities in third-party software - TranzWare e-Commerce Payment Gateway (TWEC PG). We contacted the Software Development Company to disclose the vulnerabilities.

 The Software Development Company confirmed that the vulnerabilities had been fixed and the patched software had been released. We were told the version of the software in which the vulnerabilities had been fixed.

 ------------------------------------------

 [VulnerabilityType Other]
 Fixed with a notification sent to customers using TWEC PG.

 ------------------------------------------

 [Vendor of Product]
 Compass Plus Ltd.

 ------------------------------------------

 [Affected Product Code Base]
 TranzWare e-Commerce Payment Gateway (TWEC PG) - before 3.1.27.5

 ------------------------------------------

 [Attack Type]
 Remote.

 ------------------------------------------

 [Affected Component]
 /exec

 ------------------------------------------

 [Discoverers]
 Dmitriy Tatarov (https://www.linkedin.com/in/kukuxumushi/)
 Evgeny Borovkov (https://www.linkedin.com/in/evgeny-borovkov-841734110/)
 Deiteriy Co. Ltd. (https://deiteriylab.com/)

 ------------------------------------------

 [Reference]
 https://compassplus.ru/solutions/plug-play/merchant-acquiring/
	CVE-2021-28110

	[Description]
	TranzWare e-Commerce Payment Gateway (TWEC PG) before 3.1.27.5 had a vulnerability in XML-parser that was fixed with a notification sent to customers using TWEC PG.

	------------------------------------------

	[Additional Information]
	During penetration testing of our clients' infrastructure, we discovered several vulnerabilities in third-party software - TranzWare e-Commerce Payment Gateway (TWEC PG). We contacted the Software Development Company to disclose the vulnerabilities.

	The Software Development Company confirmed that the vulnerabilities had been fixed and the patched software had been released. We were told the version of the software in which the vulnerabilities had been fixed.

	------------------------------------------

	[VulnerabilityType Other]
	Fixed with a notification sent to customers using TWEC PG.

	------------------------------------------

	[Vendor of Product]
	Compass Plus Ltd.

	------------------------------------------

	[Affected Product Code Base]
	TranzWare e-Commerce Payment Gateway (TWEC PG) - before 3.1.27.5

	------------------------------------------

	[Attack Type]
	Remote.

	------------------------------------------

	[Affected Component]
	/exec

	------------------------------------------

	[Discoverers]
	Dmitriy Tatarov (https://www.linkedin.com/in/kukuxumushi/)
	Evgeny Borovkov (https://www.linkedin.com/in/evgeny-borovkov-841734110/)
	Deiteriy Co. Ltd. (https://deiteriylab.com/)

	------------------------------------------

	[Reference]
	https://compassplus.ru/solutions/plug-play/merchant-acquiring/