Hello everybody,
We've discovered another security issue with the payment module,
which allows unauthenticated access to all payment features which are available through the configured APIs (
details).
This is a high severity issue, we recommend to either upgrade immediately. As a hotfix, it's sufficient to remove the payment/code/Harness.php file.
Please upgrade anyway, since there's another (medium severity) issue around XML injection into DPS payment requests.
Thanks
Ingo