janteuber
commented
2 years ago Hello @mfickers ,
Thank you very much for your message.
Did you notice this behavior in test or live mode?
In test mode, this behavior is wanted.
Closed mfickers closed 2 years ago
janteuber
commented
2 years ago Hello @mfickers ,
Thank you very much for your message.
Did you notice this behavior in test or live mode?
In test mode, this behavior is wanted.
mfickers
commented
2 years ago This behavior is the same for both modes. I've tested in live mode for v3.3.0 on Magento 2.4.2-p1 and in test mode for v3.4.1 on Magento 2.4.3.
Just to be clear, I'm not talking about the test mode accepting any three digit number as a valid validation code, but specifically an empty input field not resulting in an error.
janteuber
commented
2 years ago Hello @mfickers , I could reproduce your issue and created a ticket. We will provide a fix in our new plugin version (End of May 2022)
torhoehn
commented
2 years ago @janteuber I think this issue shouldn't be closed until the fix is released, because the problem still exists. Personally I think End of May is really late for such a security relevant feature.
janteuber
commented
2 years ago Hello @torhoehn @mfickers , we merged the fix for that issue: https://github.com/PAYONE-GmbH/magento-2/pull/438 and will release it in our new plugin version (End of May 2022)
We are using v3.3.0 of this extension in a Magento 2.4.2-p1, but I've also tested this with v3.4.1 and Magento 2.4.3. CVC validation is enabled. Unfortunately it is still possible to place an order using Payone credit card as payment method without supplying the card's CVC.
Validation works as expected as long as something is entered in the validation code field. Incorrect length or invalid characters are not allowed and result in an error message. But when leaving the field blank, there is no validation at all and it is possible to complete the order.
Prerequisites
Steps to reproduce
Expected result
Actual result