SilverStripe Payment Module: 0.4.2 and 0.3.2 security release

[Ingo Schommer]

Hello everybody,

We've discovered another security issue with the payment module,

which allows unauthenticated access to all payment features which are available through the configured APIs (details).

This is a high severity issue, we recommend to either upgrade immediately. As a hotfix, it's sufficient to remove the payment/code/Harness.php file.

Please upgrade anyway, since there's another (medium severity) issue around XML injection into DPS payment requests.

To fix the issue, either upgrade to 0.3.2 (download) and 0.4.2 (download), or apply the patch.

Thanks

Ingo