PaypalCVEs & Vulnerabilities

25 CVEs affecting Paypal products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

paypal 3php toolkit 2braintree\/sanitize-url 2payments standard 2payments pro 2merchant sdk 1mass pay 1instant payment notification 1
CVE-2022-48345MEDIUM

sanitize-url (aka @braintree/sanitize-url) before 6.0.2 allows XSS via HTML entities.

24 Feb 2023
6.1
CVSS
CVE-2022-21129CRITICAL

Versions of the package nemo-appium before 0.0.9 are vulnerable to Command Injection due to improper input sanitization in the 'module.exports.setup' function. **Note:** In order to exploit this vulnerability appium-running 0.1.3 has to be installed as one of nemo-appium dependencies.

31 Jan 2023
9.8
CVSS
CVE-2021-23648MEDIUM

The package @braintree/sanitize-url before 6.0.0 are vulnerable to Cross-site Scripting (XSS) due to improper sanitization in sanitizeUrl function.

16 Mar 2022
6.1
CVSS
CVE-2017-6217MEDIUM

paypal/adaptivepayments-sdk-php v3.9.2 is vulnerable to a reflected XSS in the SetPaymentOptions.php resulting code execution

10 Jul 2019
6.1
CVSS
CVE-2017-6215MEDIUM

paypal/permissions-sdk-php is vulnerable to reflected XSS in the samples/GetAccessToken.php verification_code parameter, resulting in code execution.

3 Aug 2018
5.4
CVSS
CVE-2017-6213MEDIUM

paypal/invoice-sdk-php is vulnerable to reflected XSS in samples/permissions.php via the permToken parameter, resulting in code execution.

3 Aug 2018
5.4
CVSS
CVE-2013-7202HIGH

The WebHybridClient class in PayPal 5.3 and earlier for Android allows remote attackers to execute arbitrary JavaScript on the system.

27 Apr 2018
8.1
CVSS
CVE-2013-7201HIGH

WebHybridClient.java in PayPal 5.3 and earlier for Android ignores SSL errors, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information.

27 Apr 2018
7.4
CVSS
CVE-2017-6099MEDIUM

Cross-site scripting (XSS) vulnerability in GetAuthDetails.html.php in PayPal PHP Merchant SDK (aka merchant-sdk-php) 3.9.1 allows remote attackers to inject arbitrary web script or HTML via the token parameter.

24 Feb 2017
6.1
CVSS
CVE-2011-5237MEDIUM

PayPal WPS ToolKit does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

6 Nov 2012
5.8
CVSS
CVE-2012-5806MEDIUM

The PayPal Payments Pro module in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to use of the PHP fsockopen function, a different vulnerability than CVE-2012-5805.

5 Nov 2012
5.8
CVSS
CVE-2012-5805MEDIUM

The PayPal IPN functionality in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, a different vulnerability than CVE-2012-5806.

5 Nov 2012
5.8
CVSS
CVE-2012-5802MEDIUM

The PayPal module in Ubercart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

5 Nov 2012
5.8
CVSS
CVE-2012-5798MEDIUM

The PayPal Pro PayFlow EC module in osCommerce does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

5 Nov 2012
5.8
CVSS
CVE-2012-5796MEDIUM

The PayPal Pro module in osCommerce does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

5 Nov 2012
5.8
CVSS
CVE-2012-5791MEDIUM

PayPal Invoicing does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

5 Nov 2012
5.8
CVSS
CVE-2012-5790MEDIUM

PayPal Payments Standard PHP Library 20120427 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to misinterpretation of a certain TRUE value.

5 Nov 2012
5.8
CVSS
CVE-2012-5789MEDIUM

PayPal Payments Standard PHP Library before 20120427 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to intentional disabling of certificate-validation checks through a "FALSE" value.

5 Nov 2012
5.8
CVSS
CVE-2012-5788MEDIUM

The PayPal IPN utility does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to use of the PHP fsockopen function.

5 Nov 2012
5.8
CVSS
CVE-2012-5787MEDIUM

The PayPal merchant SDK does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

5 Nov 2012
5.8
CVSS
CVE-2012-5784MEDIUM

Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

5 Nov 2012
5.8
CVSS
CVE-2012-2991MEDIUM

The PayPal (aka MODULE_PAYMENT_PAYPAL_STANDARD) module before 1.1 in osCommerce Online Merchant before 2.3.4 allows remote attackers to set the payment recipient via a modified value of the merchant's e-mail address, as demonstrated by setting the recipient to one's self.

19 Sep 2012
5.0
CVSS
CVE-2012-2058MEDIUM

The Ubercart Payflow module for Drupal does not use a secure token, which allows remote attackers to forge payments via unspecified vectors.

17 Sep 2012
5.0
CVSS
CVE-2006-0201MEDIUM

Dave Nielsen and Patrick Breitenbach PayPal Web Services (aka PHP Toolkit) 0.50, and possibly earlier versions, allows remote attackers to enter false payment entries into the log file via HTTP POST requests to ipn_success.php.

14 Jan 2006
5.0
CVSS
CVE-2006-0202LOW

Dave Nielsen and Patrick Breitenbach PayPal Web Services (aka PHP Toolkit) 0.50 and possibly earlier has (1) world-readable permissions for ipn/logs/ipn_success.txt, which allows local users to view sensitive information (payment data), and (2) world-writable permissions for ipn/logs, which allows local users to delete or replace payment data.

14 Jan 2006
3.6
CVSS
← PrevPage 1 / 1Next →