CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-41670 – PayPal Official Module for PrestaShop has Improperly Implemented Security Check for Standard
https://notcve.org/view.php?id=CVE-2024-41670
In the module "PayPal Official" for PrestaShop 7+ releases prior to version 6.4.2 and for PrestaShop 1.6 releases prior to version 3.18.1, a malicious customer can confirm an order even if payment is finally declined by PayPal. A logical weakness during the capture of a payment in case of disabled webhooks can be exploited to create an accepted order. This could allow a threat actor to confirm an order with a fraudulent payment support. Versions 6.4.2 and 3.18.1 contain a patch for the issue. Additionally, users enable webhooks and check they are callable. • https://github.com/202ecommerce/paypal/security/advisories/GHSA-w3w3-j3mh-3354 • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-41120 – Unauthorized access to Credit card form in sylius/paypal-plugin
https://notcve.org/view.php?id=CVE-2021-41120
sylius/paypal-plugin is a paypal plugin for the Sylius development platform. In affected versions the URL to the payment page done after checkout was created with autoincremented payment id (/pay-with-paypal/{id}) and therefore it was easy to predict. The problem is that the Credit card form has prefilled "credit card holder" field with the Customer's first and last name and hence this can lead to personally identifiable information exposure. Additionally, the mentioned form did not require authentication. The problem has been patched in Sylius/PayPalPlugin 1.2.4 and 1.3.1. • https://github.com/Sylius/PayPalPlugin/commit/2adc46be2764ccee22b4247139b8056fb8d1afff https://github.com/Sylius/PayPalPlugin/commit/814923c2e9d97fe6279dcee866c34ced3d2fb7a7 https://github.com/Sylius/PayPalPlugin/security/advisories/GHSA-25fx-mxc2-76g7 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2013-7202
https://notcve.org/view.php?id=CVE-2013-7202
The WebHybridClient class in PayPal 5.3 and earlier for Android allows remote attackers to execute arbitrary JavaScript on the system. La clase WebHybridClient en PayPal 5.3 y anteriores para permite que atacantes remotos ejecuten JavaScript arbitrario en el sistema. • https://exchange.xforce.ibmcloud.com/vulnerabilities/92099 https://labs.mwrinfosecurity.com/advisories/paypal-remote-code-execution • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2013-7201
https://notcve.org/view.php?id=CVE-2013-7201
WebHybridClient.java in PayPal 5.3 and earlier for Android ignores SSL errors, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information. WebHybridClient.java en PayPal 5.3 y anteriores para Android ignora los errores de SSL, lo que permite que atacantes Man-in-the-Middle (MitM) suplanten servidores y obtengan información sensible. • http://secunia.com/advisories/57351 https://exchange.xforce.ibmcloud.com/vulnerabilities/92098 https://labs.mwrinfosecurity.com/advisories/paypal-remote-code-execution • CWE-295: Improper Certificate Validation •
CVSS: 2.9EPSS: 0%CPEs: 4EXPL: 0CVE-2010-4211
https://notcve.org/view.php?id=CVE-2010-4211
The PayPal app before 3.0.1 for iOS does not verify that the server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof a PayPal web server via an arbitrary certificate. La aplicación de PayPal anterior a v3.0.1 de IOS no comprueba que el nombre del servidor coincide con el nombre de dominio del sujeto de un certificado X.509, que permite a los atacantes "man-in-the-middle" falsificar un servidor web de PayPal a través de un certificado de su elección. • http://itunes.apple.com/us/app/paypal/id283646709 http://news.cnet.com/8301-27080_3-20021730-245.html http://online.wsj.com/article/SB10001424052748703506904575592782874885808.html http://viaforensics.com/press-releases/viaforensics-uncovers-paypal-application-vulnerability.html http://viaforensics.com/security/viaforensics-uncovers-significant-vulnerability-paypal-iphone.html http://www.securityfocus.com/bid/44657 http://www.vupen.com/english/advisories/2010/2887 https://exchange.xforce.ibmcloud.com/vulnerabilities/63002 • CWE-287: Improper Authentication •