Lucene search

GitHub Advisory DatabaseGHSA-VXPM-8HCP-QH27

HistoryFeb 03, 2023 - 9:07 p.m.

Payment information sent to PayPal not necessarily identical to created order

2023-02-0321:07:28

CWE-345

GitHub Advisory Database

github.com

paypal

javascript-based

security plugin

shopware blog

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

27.5%

JSON

Impact

If JavaScript-based PayPal checkout methods are used (PayPal Plus, Smart Payment Buttons, SEPA, Pay Later, Venmo, Credit card), the amount and item list sent to PayPal may not be identical to the one in the created order.

Patches

The problem has been fixed with version 5.4.4

Workarounds

Disable the aforementioned payment methods or use the Security Plugin in version >= 1.0.21.

References

Shopware blog post

Affected configurations

Vulners

Node

swagpaypalRange<5.4.4

VendorProductVersionCPE
swagpaypal*cpe:2.3:a:swag:paypal:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
swag	paypal	*	cpe:2.3:a:swag:paypal::::::::

References

github.com/advisories/GHSA-vxpm-8hcp-qh27

github.com/shopware/SwagPayPal/commit/57db5f4a57ef0a1646b509b415de9f03bf441b08

github.com/shopware/SwagPayPal/security/advisories/GHSA-vxpm-8hcp-qh27

nvd.nist.gov/vuln/detail/CVE-2023-23941

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

27.5%

JSON

Related for GHSA-VXPM-8HCP-QH27