5 results (0.012 seconds)

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0

In the module "PayPal Official" for PrestaShop 7+ releases prior to version 6.4.2 and for PrestaShop 1.6 releases prior to version 3.18.1, a malicious customer can confirm an order even if payment is finally declined by PayPal. A logical weakness during the capture of a payment in case of disabled webhooks can be exploited to create an accepted order. This could allow a threat actor to confirm an order with a fraudulent payment support. Versions 6.4.2 and 3.18.1 contain a patch for the issue. Additionally, users enable webhooks and check they are callable. • https://github.com/202ecommerce/paypal/security/advisories/GHSA-w3w3-j3mh-3354 • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0

sylius/paypal-plugin is a paypal plugin for the Sylius development platform. In affected versions the URL to the payment page done after checkout was created with autoincremented payment id (/pay-with-paypal/{id}) and therefore it was easy to predict. The problem is that the Credit card form has prefilled "credit card holder" field with the Customer's first and last name and hence this can lead to personally identifiable information exposure. Additionally, the mentioned form did not require authentication. The problem has been patched in Sylius/PayPalPlugin 1.2.4 and 1.3.1. • https://github.com/Sylius/PayPalPlugin/commit/2adc46be2764ccee22b4247139b8056fb8d1afff https://github.com/Sylius/PayPalPlugin/commit/814923c2e9d97fe6279dcee866c34ced3d2fb7a7 https://github.com/Sylius/PayPalPlugin/security/advisories/GHSA-25fx-mxc2-76g7 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-639: Authorization Bypass Through User-Controlled Key •

CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0

The WebHybridClient class in PayPal 5.3 and earlier for Android allows remote attackers to execute arbitrary JavaScript on the system. La clase WebHybridClient en PayPal 5.3 y anteriores para permite que atacantes remotos ejecuten JavaScript arbitrario en el sistema. • https://exchange.xforce.ibmcloud.com/vulnerabilities/92099 https://labs.mwrinfosecurity.com/advisories/paypal-remote-code-execution • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0

WebHybridClient.java in PayPal 5.3 and earlier for Android ignores SSL errors, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information. WebHybridClient.java en PayPal 5.3 y anteriores para Android ignora los errores de SSL, lo que permite que atacantes Man-in-the-Middle (MitM) suplanten servidores y obtengan información sensible. • http://secunia.com/advisories/57351 https://exchange.xforce.ibmcloud.com/vulnerabilities/92098 https://labs.mwrinfosecurity.com/advisories/paypal-remote-code-execution • CWE-295: Improper Certificate Validation •

CVSS: 2.9EPSS: 0%CPEs: 4EXPL: 0

The PayPal app before 3.0.1 for iOS does not verify that the server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof a PayPal web server via an arbitrary certificate. La aplicación de PayPal anterior a v3.0.1 de IOS no comprueba que el nombre del servidor coincide con el nombre de dominio del sujeto de un certificado X.509, que permite a los atacantes "man-in-the-middle" falsificar un servidor web de PayPal a través de un certificado de su elección. • http://itunes.apple.com/us/app/paypal/id283646709 http://news.cnet.com/8301-27080_3-20021730-245.html http://online.wsj.com/article/SB10001424052748703506904575592782874885808.html http://viaforensics.com/press-releases/viaforensics-uncovers-paypal-application-vulnerability.html http://viaforensics.com/security/viaforensics-uncovers-significant-vulnerability-paypal-iphone.html http://www.securityfocus.com/bid/44657 http://www.vupen.com/english/advisories/2010/2887 https://exchange.xforce.ibmcloud.com/vulnerabilities/63002 • CWE-287: Improper Authentication •