CVE-2024-41670 – PayPal Official Module for PrestaShop has Improperly Implemented Security Check for Standard
https://notcve.org/view.php?id=CVE-2024-41670
In the module "PayPal Official" for PrestaShop 7+ releases prior to version 6.4.2 and for PrestaShop 1.6 releases prior to version 3.18.1, a malicious customer can confirm an order even if payment is finally declined by PayPal. A logical weakness during the capture of a payment in case of disabled webhooks can be exploited to create an accepted order. This could allow a threat actor to confirm an order with a fraudulent payment support. Versions 6.4.2 and 3.18.1 contain a patch for the issue. Additionally, users enable webhooks and check they are callable. • https://github.com/202ecommerce/paypal/security/advisories/GHSA-w3w3-j3mh-3354 • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVE-2023-28843 – Improper neutralization of SQL parameter in PayPal module for PrestaShop
https://notcve.org/view.php?id=CVE-2023-28843
PrestaShop/paypal is an open source module for the PrestaShop web commerce ecosystem which provides paypal payment support. A SQL injection vulnerability found in the PrestaShop paypal module from release from 3.12.0 to and including 3.16.3 allow a remote attacker to gain privileges, modify data, and potentially affect system availability. The cause of this issue is that SQL queries were being constructed with user input which had not been properly filtered. Only deployments on PrestaShop 1.6 are affected. Users are advised to upgrade to module version 3.16.4. • https://github.com/202ecommerce/paypal/commit/2f6884ea1d0fe4b58441699fcc1d6c56c7d733eb https://github.com/202ecommerce/paypal/security/advisories/GHSA-66pc-8gh8-mx7m • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2013-7202
https://notcve.org/view.php?id=CVE-2013-7202
The WebHybridClient class in PayPal 5.3 and earlier for Android allows remote attackers to execute arbitrary JavaScript on the system. La clase WebHybridClient en PayPal 5.3 y anteriores para permite que atacantes remotos ejecuten JavaScript arbitrario en el sistema. • https://exchange.xforce.ibmcloud.com/vulnerabilities/92099 https://labs.mwrinfosecurity.com/advisories/paypal-remote-code-execution • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2013-7201
https://notcve.org/view.php?id=CVE-2013-7201
WebHybridClient.java in PayPal 5.3 and earlier for Android ignores SSL errors, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information. WebHybridClient.java en PayPal 5.3 y anteriores para Android ignora los errores de SSL, lo que permite que atacantes Man-in-the-Middle (MitM) suplanten servidores y obtengan información sensible. • http://secunia.com/advisories/57351 https://exchange.xforce.ibmcloud.com/vulnerabilities/92098 https://labs.mwrinfosecurity.com/advisories/paypal-remote-code-execution • CWE-295: Improper Certificate Validation •