CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2017-6215
https://notcve.org/view.php?id=CVE-2017-6215
paypal/permissions-sdk-php is vulnerable to reflected XSS in the samples/GetAccessToken.php verification_code parameter, resulting in code execution. paypal/permissions-sdk-php es vulnerable a Cross-Site Scripting (XSS) reflejado en samples/GetAccessToken.php mediante el parámetro verification_code, lo que resulta en la ejecución de código. • https://github.com/paypal/permissions-sdk-php/issues/19 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2014-10067
https://notcve.org/view.php?id=CVE-2014-10067
paypal-ipn before 3.0.0 uses the `test_ipn` parameter (which is set by the PayPal IPN simulator) to determine if it should use the production PayPal site or the sandbox. With a bit of time, an attacker could craft a request using the simulator that would fool any application which does not explicitly check for test_ipn in production. paypal-ipn en versiones anteriores a la 3.0.0 emplea el parámetro "test_ipn" (que se establece por medio del simulador PayPal IPN) para determinar si debería usar el sitio de PayPal en producción o el sandbox. Con un poco de tiempo, un atacante podría manipuflar una petición empleando el simulador que engañaría a cualquier aplicación que no comprueba test_ipn explícitamente en producción. • https://github.com/andzdroid/paypal-ipn/issues/11 https://nodesecurity.io/advisories/26 • CWE-287: Improper Authentication •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2013-7202
https://notcve.org/view.php?id=CVE-2013-7202
The WebHybridClient class in PayPal 5.3 and earlier for Android allows remote attackers to execute arbitrary JavaScript on the system. La clase WebHybridClient en PayPal 5.3 y anteriores para permite que atacantes remotos ejecuten JavaScript arbitrario en el sistema. • https://exchange.xforce.ibmcloud.com/vulnerabilities/92099 https://labs.mwrinfosecurity.com/advisories/paypal-remote-code-execution • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2013-7201
https://notcve.org/view.php?id=CVE-2013-7201
WebHybridClient.java in PayPal 5.3 and earlier for Android ignores SSL errors, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information. WebHybridClient.java en PayPal 5.3 y anteriores para Android ignora los errores de SSL, lo que permite que atacantes Man-in-the-Middle (MitM) suplanten servidores y obtengan información sensible. • http://secunia.com/advisories/57351 https://exchange.xforce.ibmcloud.com/vulnerabilities/92098 https://labs.mwrinfosecurity.com/advisories/paypal-remote-code-execution • CWE-295: Improper Certificate Validation •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-6099
https://notcve.org/view.php?id=CVE-2017-6099
Cross-site scripting (XSS) vulnerability in GetAuthDetails.html.php in PayPal PHP Merchant SDK (aka merchant-sdk-php) 3.9.1 allows remote attackers to inject arbitrary web script or HTML via the token parameter. Vulnerabilidad de XSS en GetAuthDetails.html.php en PayPal PHP Merchant SDK (también conocido como merchant-sdk-php) 3.9.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro token. • http://www.securityfocus.com/bid/96432 https://github.com/paypal/merchant-sdk-php/issues/129 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •