Users need cookies enabled for session handling on the credit card form to prevent CSRF. At the moment, depending on the particular form the user sees, they can either be entered into an infinite loop of the credit card form refreshing -or- they can still transparently go through the process, although it is a security vulnerability
Version: unspecified
Severity: enhancement