CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-6099
https://notcve.org/view.php?id=CVE-2017-6099
Cross-site scripting (XSS) vulnerability in GetAuthDetails.html.php in PayPal PHP Merchant SDK (aka merchant-sdk-php) 3.9.1 allows remote attackers to inject arbitrary web script or HTML via the token parameter. Vulnerabilidad de XSS en GetAuthDetails.html.php en PayPal PHP Merchant SDK (también conocido como merchant-sdk-php) 3.9.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro token. • http://www.securityfocus.com/bid/96432 https://github.com/paypal/merchant-sdk-php/issues/129 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 1CVE-2012-5787
https://notcve.org/view.php?id=CVE-2012-5787
The PayPal merchant SDK does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. La utilidad PayPal merchand SDK no comprueba si el nombre del servidor coincide con un nombre de dominio en el Common Name (CN) del asunto o el campo subjectAltName del certificado X.509, lo que permite a atacantes man-in-the-middle falsificar servidores SSL a través de un certificado válido arbitrario. • http://secunia.com/advisories/51184 http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf http://www.securityfocus.com/bid/56445 https://exchange.xforce.ibmcloud.com/vulnerabilities/79913 https://github.com/paypal/SDKs/commit/5f2d6dd77fb4211dcde34e36f1864234526c5d64 • CWE-20: Improper Input Validation •