Vulnerability Details : CVE-2023-23941
SwagPayPal is a PayPal integration for shopware/platform. If JavaScript-based PayPal checkout methods are used (PayPal Plus, Smart Payment Buttons, SEPA, Pay Later, Venmo, Credit card), the amount and item list sent to PayPal may not be identical to the one in the created order. The problem has been fixed with version 5.4.4. As a workaround, disable the aforementioned payment methods or use the Security Plugin in version >= 1.0.21.
Products affected by CVE-2023-23941
- cpe:2.3:a:shopware:swagpaypal:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-23941
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 27 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-23941
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2023-23941
-
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.Assigned by: security-advisories@github.com (Secondary)
References for CVE-2023-23941
-
https://github.com/shopware/SwagPayPal/security/advisories/GHSA-vxpm-8hcp-qh27
Payment information sent to PayPal not necessarily identical to created order · Advisory · shopware/SwagPayPal · GitHubThird Party Advisory
-
https://github.com/shopware/SwagPayPal/commit/57db5f4a57ef0a1646b509b415de9f03bf441b08
Update changelog · shopware/SwagPayPal@57db5f4 · GitHubPatch;Third Party Advisory
Jump to