CVE-2023-23941 SwagPayPal payment not sent to PayPal correctly

2023-02-0320:26:52

CWE-345

GitHub_M

www.cve.org

cve-2023-23941

swagpaypal

paypal integration

shopware/platform

javascript-based

checkout

paypal plus

smart payment buttons

sepa

pay later

venmo

credit card

order

security plugin

version 5.4.4

workaround

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

27.5%

JSON

SwagPayPal is a PayPal integration for shopware/platform. If JavaScript-based PayPal checkout methods are used (PayPal Plus, Smart Payment Buttons, SEPA, Pay Later, Venmo, Credit card), the amount and item list sent to PayPal may not be identical to the one in the created order. The problem has been fixed with version 5.4.4. As a workaround, disable the aforementioned payment methods or use the Security Plugin in version >= 1.0.21.

CNA Affected

[
  {
    "vendor": "shopware",
    "product": "SwagPayPal",
    "versions": [
      {
        "version": "< 5.4.4",
        "status": "affected"
      }
    ]
  }
]