CVE-2023-23941 – swag/paypal

Package

Manager: composer
Name: swag/paypal
Vulnerable Version: >=0 <5.4.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00056 pctl0.17458

Details

Payment information sent to PayPal not necessarily identical to created order ### Impact If JavaScript-based PayPal checkout methods are used (PayPal Plus, Smart Payment Buttons, SEPA, Pay Later, Venmo, Credit card), the amount and item list sent to PayPal may not be identical to the one in the created order. ### Patches The problem has been fixed with version 5.4.4 ### Workarounds Disable the aforementioned payment methods or use the Security Plugin in version >= 1.0.21. ### References [Shopware blog post](https://news.shopware.com/security-issue-in-paypal-plugin-update-required)

Metadata

Created: 2023-02-03T21:07:28Z
Modified: 2023-02-15T18:38:53Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-vxpm-8hcp-qh27/GHSA-vxpm-8hcp-qh27.json
CWE IDs: ["CWE-345"]
Alternative ID: GHSA-vxpm-8hcp-qh27
Finding: F204
Auto approve: 1