Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
XXE DoS in TranzWare e-Commerce Payment Gateway - CVE-2021-28110
CVE-2021-28110
[Description]
TranzWare e-Commerce Payment Gateway (TWEC PG) before 3.1.27.5 had a vulnerability in XML-parser that was fixed with a notification sent to customers using TWEC PG.
------------------------------------------
[Additional Information]
During penetration testing of our clients' infrastructure, we discovered several vulnerabilities in third-party software - TranzWare e-Commerce Payment Gateway (TWEC PG). We contacted the Software Development Company to disclose the vulnerabilities.
The Software Development Company confirmed that the vulnerabilities had been fixed and the patched software had been released. We were told the version of the software in which the vulnerabilities had been fixed.
------------------------------------------
[VulnerabilityType Other]
Fixed with a notification sent to customers using TWEC PG.
------------------------------------------
[Vendor of Product]
Compass Plus Ltd.
------------------------------------------
[Affected Product Code Base]
TranzWare e-Commerce Payment Gateway (TWEC PG) - before 3.1.27.5
------------------------------------------
[Attack Type]
Remote.
------------------------------------------
[Affected Component]
/exec
------------------------------------------
[Discoverers]
Dmitriy Tatarov (https://www.linkedin.com/in/kukuxumushi/)
Evgeny Borovkov (https://www.linkedin.com/in/evgeny-borovkov-841734110/)
Deiteriy Co. Ltd. (https://deiteriylab.com/)
------------------------------------------
[Reference]
https://compassplus.ru/solutions/plug-play/merchant-acquiring/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment