CWE-472
AllowedExternal Control of Assumed-Immutable Web Parameter
Abstraction: Base · Status: Draft
The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.
188 vulnerabilities reference this CWE, most recent first.
GHSA-PGJM-XW6Q-9MVJ
Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2025-04-20 03:50In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, the 'ping' and 'traceroute' functions of the web administrative console expose a file path traversal vulnerability, accessible to all authenticated users.
{
"affected": [],
"aliases": [
"CVE-2017-5261"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-472"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-12-20T22:29:00Z",
"severity": "HIGH"
},
"details": "In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, the \u0027ping\u0027 and \u0027traceroute\u0027 functions of the web administrative console expose a file path traversal vulnerability, accessible to all authenticated users.",
"id": "GHSA-pgjm-xw6q-9mvj",
"modified": "2025-04-20T03:50:21Z",
"published": "2022-05-13T01:36:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5261"
},
{
"type": "WEB",
"url": "https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PHR6-CG52-W545
Vulnerability from github – Published: 2026-05-14 21:30 – Updated: 2026-05-14 21:30Integer overflow in XML in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2026-8532"
],
"database_specific": {
"cwe_ids": [
"CWE-472"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-14T20:17:14Z",
"severity": "HIGH"
},
"details": "Integer overflow in XML in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-phr6-cg52-w545",
"modified": "2026-05-14T21:30:45Z",
"published": "2026-05-14T21:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8532"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_12.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/492812194"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PP79-HQV6-VMC3
Vulnerability from github – Published: 2026-04-28 22:39 – Updated: 2026-05-07 18:46Summary
The application fails to validate the nick parameter during a POST request to the EditUser controller. Although the UI prevents editing this field, a user can bypass this restriction using a proxy to rename any account (including the Administrator). This leads to Broken Access Control and potential Audit Log Corruption.
Details
The vulnerability exists in the user update logic. When a POST request is sent to /EditUser, the backend processes the nick form-data parameter without checking if it matches the original value or if the user has the privilege to change a unique identifier that is intended to be immutable.
PoC
1. Log in to the dashboard as any user (e.g. admin user).
2. Go to your Profile by clicking your username/avatar in the top right.
3. Open Burp Suite and ensure Intercept is ON.
5. Click the Save button in the UI.
6. In Burp Suite, locate nick in the body:
7. Change the value admin to Vulnerable (or any other string).
8. Click Forward in Burp Suite.
The application will log the user out. It is possible to now log back in using the username "Vulnerable" and the original password.
Impact
An attacker can effectively sabotage the system’s audit trail, performing malicious actions and then renaming their account to evade detection or frame other users. This breakdown in accountability facilitates identity impersonation and risks data corruption, as internal references to the original username become orphaned, undermining the overall integrity of the multi-user environment.
Result
Before
After
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "facturascripts/facturascripts"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2024.92.x-dev"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32699"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-472"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-28T22:39:01Z",
"nvd_published_at": "2026-05-05T20:16:35Z",
"severity": "MODERATE"
},
"details": "### Summary\nThe application fails to validate the ```nick``` parameter during a ```POST``` request to the ```EditUser``` controller. Although the UI prevents editing this field, a user can bypass this restriction using a proxy to rename any account (including the Administrator). This leads to Broken Access Control and potential Audit Log Corruption.\n\n### Details\nThe vulnerability exists in the user update logic. When a ```POST``` request is sent to ```/EditUser```, the backend processes the ```nick``` form-data parameter without checking if it matches the original value or if the user has the privilege to change a unique identifier that is intended to be immutable.\n\n### PoC\n***1.*** Log in to the dashboard as any user (e.g. admin user).\n\n***2.*** Go to your Profile by clicking your username/avatar in the top right.\n\n***3.*** Open Burp Suite and ensure Intercept is ON.\n\n***5.*** Click the Save button in the UI.\n\n***6.*** In Burp Suite, locate ```nick``` in the body:\n\n\u003cimg width=\"1915\" height=\"1013\" alt=\"Screenshot_2026-03-04_05_26_32\" src=\"https://github.com/user-attachments/assets/aea4e6fd-beba-4a47-96da-8b9bd9075681\" /\u003e\n\n\n***7.*** Change the value admin to Vulnerable (or any other string).\n\n***8.*** Click Forward in Burp Suite.\n\nThe application will log the user out. It is possible to now log back in using the username \"Vulnerable\" and the original password.\n\n### Impact\nAn attacker can effectively sabotage the system\u2019s audit trail, performing malicious actions and then renaming their account to evade detection or frame other users. This breakdown in accountability facilitates identity impersonation and risks data corruption, as internal references to the original username become orphaned, undermining the overall integrity of the multi-user environment.\n\n### Result\n\n#### Before \n\n\u003cimg width=\"1920\" height=\"996\" alt=\"Screenshot_2026-03-04_05_25_30\" src=\"https://github.com/user-attachments/assets/3b2d34e5-a2b9-4da9-9a56-963fe1a8fd65\" /\u003e\n\n#### After\n\n\u003cimg width=\"1920\" height=\"955\" alt=\"Screenshot_2026-03-04_05_27_00\" src=\"https://github.com/user-attachments/assets/af1de0ef-2b55-4d29-9557-29ee26a3775a\" /\u003e",
"id": "GHSA-pp79-hqv6-vmc3",
"modified": "2026-05-07T18:46:57Z",
"published": "2026-04-28T22:39:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pp79-hqv6-vmc3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32699"
},
{
"type": "PACKAGE",
"url": "https://github.com/NeoRazorX/facturascripts"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "FacturaScripts has Insecure Parameter Handling: Unauthorized Modification of Immutable \u0027nick\u0027 Field"
}
GHSA-PQQ3-Q84H-PJ6X
Vulnerability from github – Published: 2025-03-17 21:26 – Updated: 2025-03-17 21:26A vulnerability allows users to manipulate the final payment amount processed by PayPal. If a user modifies the item quantity in their shopping cart after initiating the PayPal Checkout process, PayPal will not receive the updated total amount. As a result, PayPal captures only the initially transmitted amount, while Sylius incorrectly considers the order fully paid based on the modified total. This flaw can be exploited both accidentally and intentionally, potentially enabling fraud by allowing customers to pay less than the actual order value.
Impact
- Attackers can intentionally pay less than the actual total order amount.
- Business owners may suffer financial losses due to underpaid orders.
- Integrity of payment processing is compromised.
Patches
The issue is fixed in versions: 1.6.1, 1.7.1, 2.0.1 and above.
Workarounds
To resolve the problem in the end application without updating to the newest patches, there is a need to overwrite ProcessPayPalOrderAction with modified logic:
<?php
declare(strict_types=1);
namespace App\Controller;
use Doctrine\Persistence\ObjectManager;
use SM\Factory\FactoryInterface as StateMachineFactoryInterface;
use Sylius\Abstraction\StateMachine\StateMachineInterface;
use Sylius\Abstraction\StateMachine\WinzouStateMachineAdapter;
use Sylius\Component\Core\Factory\AddressFactoryInterface;
use Sylius\Component\Core\Model\CustomerInterface;
use Sylius\Component\Core\Model\PaymentInterface;
use Sylius\Component\Core\Model\PaymentMethodInterface;
use Sylius\Component\Core\OrderCheckoutTransitions;
use Sylius\Component\Core\Repository\CustomerRepositoryInterface;
use Sylius\Component\Resource\Factory\FactoryInterface;
use Sylius\PayPalPlugin\Api\CacheAuthorizeClientApiInterface;
use Sylius\PayPalPlugin\Api\OrderDetailsApiInterface;
use Sylius\PayPalPlugin\Manager\PaymentStateManagerInterface;
use Sylius\PayPalPlugin\Provider\OrderProviderInterface;
use Sylius\PayPalPlugin\Verifier\PaymentAmountVerifierInterface;
use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
final class ProcessPayPalOrderAction
{
public function __construct(
private readonly CustomerRepositoryInterface $customerRepository,
private readonly FactoryInterface $customerFactory,
private readonly AddressFactoryInterface $addressFactory,
private readonly ObjectManager $orderManager,
private readonly StateMachineFactoryInterface|StateMachineInterface $stateMachineFactory,
private readonly PaymentStateManagerInterface $paymentStateManager,
private readonly CacheAuthorizeClientApiInterface $authorizeClientApi,
private readonly OrderDetailsApiInterface $orderDetailsApi,
private readonly OrderProviderInterface $orderProvider,
) {
}
public function __invoke(Request $request): Response
{
$orderId = $request->request->getInt('orderId');
$order = $this->orderProvider->provideOrderById($orderId);
/** @var PaymentInterface $payment */
$payment = $order->getLastPayment(PaymentInterface::STATE_CART);
$data = $this->getOrderDetails((string) $request->request->get('payPalOrderId'), $payment);
/** @var CustomerInterface|null $customer */
$customer = $order->getCustomer();
if ($customer === null) {
$customer = $this->getOrderCustomer($data['payer']);
$order->setCustomer($customer);
}
$purchaseUnit = (array) $data['purchase_units'][0];
$address = $this->addressFactory->createNew();
if ($order->isShippingRequired()) {
$name = explode(' ', $purchaseUnit['shipping']['name']['full_name']);
$address->setLastName(array_pop($name) ?? '');
$address->setFirstName(implode(' ', $name));
$address->setStreet($purchaseUnit['shipping']['address']['address_line_1']);
$address->setCity($purchaseUnit['shipping']['address']['admin_area_2']);
$address->setPostcode($purchaseUnit['shipping']['address']['postal_code']);
$address->setCountryCode($purchaseUnit['shipping']['address']['country_code']);
$this->getStateMachine()->apply($order, OrderCheckoutTransitions::GRAPH, OrderCheckoutTransitions::TRANSITION_ADDRESS);
$this->getStateMachine()->apply($order, OrderCheckoutTransitions::GRAPH, OrderCheckoutTransitions::TRANSITION_SELECT_SHIPPING);
} else {
$address->setFirstName($customer->getFirstName());
$address->setLastName($customer->getLastName());
$defaultAddress = $customer->getDefaultAddress();
$address->setStreet($defaultAddress ? $defaultAddress->getStreet() : '');
$address->setCity($defaultAddress ? $defaultAddress->getCity() : '');
$address->setPostcode($defaultAddress ? $defaultAddress->getPostcode() : '');
$address->setCountryCode($data['payer']['address']['country_code']);
$this->getStateMachine()->apply($order, OrderCheckoutTransitions::GRAPH, OrderCheckoutTransitions::TRANSITION_ADDRESS);
}
$order->setShippingAddress(clone $address);
$order->setBillingAddress(clone $address);
$this->getStateMachine()->apply($order, OrderCheckoutTransitions::GRAPH, OrderCheckoutTransitions::TRANSITION_SELECT_PAYMENT);
$this->orderManager->flush();
try {
$this->verify($payment, $data);
} catch (\Exception) {
$this->paymentStateManager->cancel($payment);
return new JsonResponse(['orderID' => $order->getId()]);
}
$this->paymentStateManager->create($payment);
$this->paymentStateManager->process($payment);
return new JsonResponse(['orderID' => $order->getId()]);
}
private function getOrderCustomer(array $customerData): CustomerInterface
{
/** @var CustomerInterface|null $existingCustomer */
$existingCustomer = $this->customerRepository->findOneBy(['email' => $customerData['email_address']]);
if ($existingCustomer !== null) {
return $existingCustomer;
}
/** @var CustomerInterface $customer */
$customer = $this->customerFactory->createNew();
$customer->setEmail($customerData['email_address']);
$customer->setFirstName($customerData['name']['given_name']);
$customer->setLastName($customerData['name']['surname']);
return $customer;
}
private function getOrderDetails(string $id, PaymentInterface $payment): array
{
/** @var PaymentMethodInterface $paymentMethod */
$paymentMethod = $payment->getMethod();
$token = $this->authorizeClientApi->authorize($paymentMethod);
return $this->orderDetailsApi->get($token, $id);
}
private function getStateMachine(): StateMachineInterface
{
if ($this->stateMachineFactory instanceof StateMachineFactoryInterface) {
return new WinzouStateMachineAdapter($this->stateMachineFactory);
}
return $this->stateMachineFactory;
}
private function verify(PaymentInterface $payment, array $paypalOrderDetails): void
{
$totalAmount = $this->getTotalPaymentAmountFromPaypal($paypalOrderDetails);
if ($payment->getAmount() !== $totalAmount) {
throw new \Exception();
}
}
private function getTotalPaymentAmountFromPaypal(array $paypalOrderDetails): int
{
if (!isset($paypalOrderDetails['purchase_units']) || !is_array($paypalOrderDetails['purchase_units'])) {
return 0;
}
$totalAmount = 0;
foreach ($paypalOrderDetails['purchase_units'] as $unit) {
$stringAmount = $unit['amount']['value'] ?? '0';
$totalAmount += (int) ($stringAmount * 100);
}
return $totalAmount;
}
}
Also there is a need to overwrite CompletePayPalOrderFromPaymentPageAction with modified logic:
<?php
declare(strict_types=1);
namespace App\Controller;
use Doctrine\Persistence\ObjectManager;
use SM\Factory\FactoryInterface;
use Sylius\Abstraction\StateMachine\StateMachineInterface;
use Sylius\Abstraction\StateMachine\WinzouStateMachineAdapter;
use Sylius\Component\Core\Model\PaymentInterface;
use Sylius\Component\Core\OrderCheckoutTransitions;
use Sylius\Component\Order\Processor\OrderProcessorInterface;
use Sylius\PayPalPlugin\Exception\PaymentAmountMismatchException;
use Sylius\PayPalPlugin\Manager\PaymentStateManagerInterface;
use Sylius\PayPalPlugin\Provider\OrderProviderInterface;
use Sylius\PayPalPlugin\Verifier\PaymentAmountVerifierInterface;
use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
final class CompletePayPalOrderFromPaymentPageAction
{
public function __construct(
private readonly PaymentStateManagerInterface $paymentStateManager,
private readonly UrlGeneratorInterface $router,
private readonly OrderProviderInterface $orderProvider,
private readonly FactoryInterface|StateMachineInterface $stateMachine,
private readonly ObjectManager $orderManager,
private readonly OrderProcessorInterface $orderProcessor,
) {
}
public function __invoke(Request $request): Response
{
$orderId = $request->attributes->getInt('id');
$order = $this->orderProvider->provideOrderById($orderId);
/** @var PaymentInterface $payment */
$payment = $order->getLastPayment(PaymentInterface::STATE_PROCESSING);
try {
$this->verify($payment);
} catch (\Exception) {
$this->paymentStateManager->cancel($payment);
$order->removePayment($payment);
$this->orderProcessor->process($order);
return new JsonResponse([
'return_url' => $this->router->generate('sylius_shop_checkout_complete', [], UrlGeneratorInterface::ABSOLUTE_URL),
]);
}
$this->paymentStateManager->complete($payment);
$this->getStateMachine()->apply($order, OrderCheckoutTransitions::GRAPH, OrderCheckoutTransitions::TRANSITION_SELECT_PAYMENT);
$this->getStateMachine()->apply($order, OrderCheckoutTransitions::GRAPH, OrderCheckoutTransitions::TRANSITION_COMPLETE);
$this->orderManager->flush();
$request->getSession()->set('sylius_order_id', $order->getId());
return new JsonResponse([
'return_url' => $this->router->generate('sylius_shop_order_thank_you', [], UrlGeneratorInterface::ABSOLUTE_URL),
]);
}
private function getStateMachine(): StateMachineInterface
{
if ($this->stateMachine instanceof FactoryInterface) {
return new WinzouStateMachineAdapter($this->stateMachine);
}
return $this->stateMachine;
}
private function verify(PaymentInterface $payment): void
{
$totalAmount = $this->getTotalPaymentAmountFromPaypal($payment);
if ($payment->getOrder()->getTotal() !== $totalAmount) {
throw new \Exception();
}
}
private function getTotalPaymentAmountFromPaypal(PaymentInterface $payment): int
{
$details = $payment->getDetails();
return $details['payment_amount'] ?? 0;
}
}
And to overwrite CaptureAction with modified logic:
<?php
declare(strict_types=1);
namespace App\Payum\Action;
use Payum\Core\Action\ActionInterface;
use Payum\Core\Exception\RequestNotSupportedException;
use Payum\Core\Request\Capture;
use Sylius\Component\Core\Model\PaymentInterface;
use Sylius\Component\Core\Model\PaymentMethodInterface;
use Sylius\PayPalPlugin\Api\CacheAuthorizeClientApiInterface;
use Sylius\PayPalPlugin\Api\CreateOrderApiInterface;
use Sylius\PayPalPlugin\Payum\Action\StatusAction;
use Sylius\PayPalPlugin\Provider\UuidProviderInterface;
final class CaptureAction implements ActionInterface
{
public function __construct(
private CacheAuthorizeClientApiInterface $authorizeClientApi,
private CreateOrderApiInterface $createOrderApi,
private UuidProviderInterface $uuidProvider,
) {
}
/** @param Capture $request */
public function execute($request): void
{
RequestNotSupportedException::assertSupports($this, $request);
/** @var PaymentInterface $payment */
$payment = $request->getModel();
/** @var PaymentMethodInterface $paymentMethod */
$paymentMethod = $payment->getMethod();
$token = $this->authorizeClientApi->authorize($paymentMethod);
$referenceId = $this->uuidProvider->provide();
$content = $this->createOrderApi->create($token, $payment, $referenceId);
if ($content['status'] === 'CREATED') {
$payment->setDetails([
'status' => StatusAction::STATUS_CAPTURED,
'paypal_order_id' => $content['id'],
'reference_id' => $referenceId,
'payment_amount' => $payment->getAmount(),
]);
}
}
public function supports($request): bool
{
return
$request instanceof Capture &&
$request->getModel() instanceof PaymentInterface
;
}
}
After that, register services in the container when using PayPal 1.x:
services:
App\Controller\ProcessPayPalOrderAction:
class: App\Controller\ProcessPayPalOrderAction
public: true
arguments:
- '@sylius.repository.customer'
- '@sylius.factory.customer'
- '@sylius.factory.address'
- '@sylius.manager.order'
- '@sylius_abstraction.state_machine'
- '@Sylius\PayPalPlugin\Manager\PaymentStateManagerInterface'
- '@Sylius\PayPalPlugin\Api\CacheAuthorizeClientApiInterface'
- '@Sylius\PayPalPlugin\Api\OrderDetailsApiInterface'
- '@Sylius\PayPalPlugin\Provider\OrderProviderInterface'
Sylius\PayPalPlugin\Controller\ProcessPayPalOrderAction:
alias: App\Controller\ProcessPayPalOrderAction
App\Controller\CompletePayPalOrderFromPaymentPageAction:
class: App\Controller\CompletePayPalOrderFromPaymentPageAction
public: true
arguments:
- '@Sylius\PayPalPlugin\Manager\PaymentStateManagerInterface'
- '@router'
- '@Sylius\PayPalPlugin\Provider\OrderProviderInterface'
- '@sylius_abstraction.state_machine'
- '@sylius.manager.order'
- '@sylius.order_processing.order_processor'
Sylius\PayPalPlugin\Controller\CompletePayPalOrderFromPaymentPageAction:
alias: App\Controller\CompletePayPalOrderFromPaymentPageAction
Sylius\PayPalPlugin\Payum\Action\CaptureAction:
class: App\Payum\Action\CaptureAction
public: true
arguments:
- '@Sylius\PayPalPlugin\Api\CacheAuthorizeClientApiInterface'
- '@Sylius\PayPalPlugin\Api\CreateOrderApiInterface'
- '@Sylius\PayPalPlugin\Provider\UuidProviderInterface'
tags:
- { name: 'payum.action', factory: 'sylius.pay_pal', alias: 'payum.action.capture' }
or when using PayPal 2.x:
services:
App\Controller\ProcessPayPalOrderAction:
class: App\Controller\ProcessPayPalOrderAction
public: true
arguments:
- '@sylius.repository.customer'
- '@sylius.factory.customer'
- '@sylius.factory.address'
- '@sylius.manager.order'
- '@sylius_abstraction.state_machine'
- '@sylius_paypal.manager.payment_state'
- '@sylius_paypal.api.cache_authorize_client'
- '@sylius_paypal.api.order_details'
- '@sylius_paypal.provider.order'
sylius_paypal.controller.process_paypal_order:
alias: App\Controller\ProcessPayPalOrderAction
App\Controller\CompletePayPalOrderFromPaymentPageAction:
class: App\Controller\CompletePayPalOrderFromPaymentPageAction
public: true
arguments:
- '@sylius_paypal.manager.payment_state'
- '@router'
- '@sylius_paypal.provider.order'
- '@sylius_abstraction.state_machine'
- '@sylius.manager.order'
- '@sylius.order_processing.order_processor'
sylius_paypal.controller.complete_paypal_order_from_payment_page:
alias: App\Controller\CompletePayPalOrderFromPaymentPageAction
sylius_paypal.payum.action.capture:
class: App\Payum\Action\CaptureAction
public: true
arguments:
- '@sylius_paypal.api.cache_authorize_client'
- '@sylius_paypal.api.create_order'
- '@sylius_paypal.provider.uuid'
tags:
- { name: 'payum.action', factory: 'sylius.paypal', alias: 'payum.action.capture' }
For more information
If you have any questions or comments about this advisory: * Open an issue in Sylius issues * Email us at security@sylius.com
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "sylius/paypal-plugin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "sylius/paypal-plugin"
},
"ranges": [
{
"events": [
{
"introduced": "1.7.0"
},
{
"fixed": "1.7.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "sylius/paypal-plugin"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-29788"
],
"database_specific": {
"cwe_ids": [
"CWE-472"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-17T21:26:50Z",
"nvd_published_at": "2025-03-17T14:15:22Z",
"severity": "MODERATE"
},
"details": "A vulnerability allows users to manipulate the final payment amount processed by PayPal. If a user modifies the item quantity in their shopping cart after initiating the PayPal Checkout process, PayPal will not receive the updated total amount. As a result, PayPal captures only the initially transmitted amount, while Sylius incorrectly considers the order fully paid based on the modified total. This flaw can be exploited both accidentally and intentionally, potentially enabling fraud by allowing customers to pay less than the actual order value.\n\n### Impact\n\n- Attackers can intentionally pay less than the actual total order amount.\n- Business owners may suffer financial losses due to underpaid orders.\n- Integrity of payment processing is compromised.\n\n### Patches\n\nThe issue is fixed in versions: 1.6.1, 1.7.1, 2.0.1 and above.\n\n### Workarounds\n\nTo resolve the problem in the end application without updating to the newest patches, there is a need to overwrite `ProcessPayPalOrderAction` with modified logic:\n\n```php\n\u003c?php\n\ndeclare(strict_types=1);\n\nnamespace App\\Controller;\n\nuse Doctrine\\Persistence\\ObjectManager;\nuse SM\\Factory\\FactoryInterface as StateMachineFactoryInterface;\nuse Sylius\\Abstraction\\StateMachine\\StateMachineInterface;\nuse Sylius\\Abstraction\\StateMachine\\WinzouStateMachineAdapter;\nuse Sylius\\Component\\Core\\Factory\\AddressFactoryInterface;\nuse Sylius\\Component\\Core\\Model\\CustomerInterface;\nuse Sylius\\Component\\Core\\Model\\PaymentInterface;\nuse Sylius\\Component\\Core\\Model\\PaymentMethodInterface;\nuse Sylius\\Component\\Core\\OrderCheckoutTransitions;\nuse Sylius\\Component\\Core\\Repository\\CustomerRepositoryInterface;\nuse Sylius\\Component\\Resource\\Factory\\FactoryInterface;\nuse Sylius\\PayPalPlugin\\Api\\CacheAuthorizeClientApiInterface;\nuse Sylius\\PayPalPlugin\\Api\\OrderDetailsApiInterface;\nuse Sylius\\PayPalPlugin\\Manager\\PaymentStateManagerInterface;\nuse Sylius\\PayPalPlugin\\Provider\\OrderProviderInterface;\nuse Sylius\\PayPalPlugin\\Verifier\\PaymentAmountVerifierInterface;\nuse Symfony\\Component\\HttpFoundation\\JsonResponse;\nuse Symfony\\Component\\HttpFoundation\\Request;\nuse Symfony\\Component\\HttpFoundation\\Response;\n\nfinal class ProcessPayPalOrderAction\n{\n public function __construct(\n private readonly CustomerRepositoryInterface $customerRepository,\n private readonly FactoryInterface $customerFactory,\n private readonly AddressFactoryInterface $addressFactory,\n private readonly ObjectManager $orderManager,\n private readonly StateMachineFactoryInterface|StateMachineInterface $stateMachineFactory,\n private readonly PaymentStateManagerInterface $paymentStateManager,\n private readonly CacheAuthorizeClientApiInterface $authorizeClientApi,\n private readonly OrderDetailsApiInterface $orderDetailsApi,\n private readonly OrderProviderInterface $orderProvider,\n ) {\n }\n\n public function __invoke(Request $request): Response\n {\n $orderId = $request-\u003erequest-\u003egetInt(\u0027orderId\u0027);\n $order = $this-\u003eorderProvider-\u003eprovideOrderById($orderId);\n /** @var PaymentInterface $payment */\n $payment = $order-\u003egetLastPayment(PaymentInterface::STATE_CART);\n\n $data = $this-\u003egetOrderDetails((string) $request-\u003erequest-\u003eget(\u0027payPalOrderId\u0027), $payment);\n\n /** @var CustomerInterface|null $customer */\n $customer = $order-\u003egetCustomer();\n if ($customer === null) {\n $customer = $this-\u003egetOrderCustomer($data[\u0027payer\u0027]);\n $order-\u003esetCustomer($customer);\n }\n\n $purchaseUnit = (array) $data[\u0027purchase_units\u0027][0];\n\n $address = $this-\u003eaddressFactory-\u003ecreateNew();\n\n if ($order-\u003eisShippingRequired()) {\n $name = explode(\u0027 \u0027, $purchaseUnit[\u0027shipping\u0027][\u0027name\u0027][\u0027full_name\u0027]);\n $address-\u003esetLastName(array_pop($name) ?? \u0027\u0027);\n $address-\u003esetFirstName(implode(\u0027 \u0027, $name));\n $address-\u003esetStreet($purchaseUnit[\u0027shipping\u0027][\u0027address\u0027][\u0027address_line_1\u0027]);\n $address-\u003esetCity($purchaseUnit[\u0027shipping\u0027][\u0027address\u0027][\u0027admin_area_2\u0027]);\n $address-\u003esetPostcode($purchaseUnit[\u0027shipping\u0027][\u0027address\u0027][\u0027postal_code\u0027]);\n $address-\u003esetCountryCode($purchaseUnit[\u0027shipping\u0027][\u0027address\u0027][\u0027country_code\u0027]);\n\n $this-\u003egetStateMachine()-\u003eapply($order, OrderCheckoutTransitions::GRAPH, OrderCheckoutTransitions::TRANSITION_ADDRESS);\n $this-\u003egetStateMachine()-\u003eapply($order, OrderCheckoutTransitions::GRAPH, OrderCheckoutTransitions::TRANSITION_SELECT_SHIPPING);\n } else {\n $address-\u003esetFirstName($customer-\u003egetFirstName());\n $address-\u003esetLastName($customer-\u003egetLastName());\n\n $defaultAddress = $customer-\u003egetDefaultAddress();\n\n $address-\u003esetStreet($defaultAddress ? $defaultAddress-\u003egetStreet() : \u0027\u0027);\n $address-\u003esetCity($defaultAddress ? $defaultAddress-\u003egetCity() : \u0027\u0027);\n $address-\u003esetPostcode($defaultAddress ? $defaultAddress-\u003egetPostcode() : \u0027\u0027);\n $address-\u003esetCountryCode($data[\u0027payer\u0027][\u0027address\u0027][\u0027country_code\u0027]);\n\n $this-\u003egetStateMachine()-\u003eapply($order, OrderCheckoutTransitions::GRAPH, OrderCheckoutTransitions::TRANSITION_ADDRESS);\n }\n\n $order-\u003esetShippingAddress(clone $address);\n $order-\u003esetBillingAddress(clone $address);\n\n $this-\u003egetStateMachine()-\u003eapply($order, OrderCheckoutTransitions::GRAPH, OrderCheckoutTransitions::TRANSITION_SELECT_PAYMENT);\n\n $this-\u003eorderManager-\u003eflush();\n\n try {\n $this-\u003everify($payment, $data);\n } catch (\\Exception) {\n $this-\u003epaymentStateManager-\u003ecancel($payment);\n\n return new JsonResponse([\u0027orderID\u0027 =\u003e $order-\u003egetId()]);\n }\n\n $this-\u003epaymentStateManager-\u003ecreate($payment);\n $this-\u003epaymentStateManager-\u003eprocess($payment);\n\n return new JsonResponse([\u0027orderID\u0027 =\u003e $order-\u003egetId()]);\n }\n\n private function getOrderCustomer(array $customerData): CustomerInterface\n {\n /** @var CustomerInterface|null $existingCustomer */\n $existingCustomer = $this-\u003ecustomerRepository-\u003efindOneBy([\u0027email\u0027 =\u003e $customerData[\u0027email_address\u0027]]);\n if ($existingCustomer !== null) {\n return $existingCustomer;\n }\n\n /** @var CustomerInterface $customer */\n $customer = $this-\u003ecustomerFactory-\u003ecreateNew();\n $customer-\u003esetEmail($customerData[\u0027email_address\u0027]);\n $customer-\u003esetFirstName($customerData[\u0027name\u0027][\u0027given_name\u0027]);\n $customer-\u003esetLastName($customerData[\u0027name\u0027][\u0027surname\u0027]);\n\n return $customer;\n }\n\n private function getOrderDetails(string $id, PaymentInterface $payment): array\n {\n /** @var PaymentMethodInterface $paymentMethod */\n $paymentMethod = $payment-\u003egetMethod();\n $token = $this-\u003eauthorizeClientApi-\u003eauthorize($paymentMethod);\n\n return $this-\u003eorderDetailsApi-\u003eget($token, $id);\n }\n\n private function getStateMachine(): StateMachineInterface\n {\n if ($this-\u003estateMachineFactory instanceof StateMachineFactoryInterface) {\n return new WinzouStateMachineAdapter($this-\u003estateMachineFactory);\n }\n\n return $this-\u003estateMachineFactory;\n }\n\n private function verify(PaymentInterface $payment, array $paypalOrderDetails): void\n {\n $totalAmount = $this-\u003egetTotalPaymentAmountFromPaypal($paypalOrderDetails);\n\n if ($payment-\u003egetAmount() !== $totalAmount) {\n throw new \\Exception();\n }\n }\n\n private function getTotalPaymentAmountFromPaypal(array $paypalOrderDetails): int\n {\n if (!isset($paypalOrderDetails[\u0027purchase_units\u0027]) || !is_array($paypalOrderDetails[\u0027purchase_units\u0027])) {\n return 0;\n }\n\n $totalAmount = 0;\n\n foreach ($paypalOrderDetails[\u0027purchase_units\u0027] as $unit) {\n $stringAmount = $unit[\u0027amount\u0027][\u0027value\u0027] ?? \u00270\u0027;\n\n $totalAmount += (int) ($stringAmount * 100);\n }\n\n return $totalAmount;\n }\n}\n```\n\nAlso there is a need to overwrite `CompletePayPalOrderFromPaymentPageAction` with modified logic:\n\n```php\n\u003c?php\n\ndeclare(strict_types=1);\n\nnamespace App\\Controller;\n\nuse Doctrine\\Persistence\\ObjectManager;\nuse SM\\Factory\\FactoryInterface;\nuse Sylius\\Abstraction\\StateMachine\\StateMachineInterface;\nuse Sylius\\Abstraction\\StateMachine\\WinzouStateMachineAdapter;\nuse Sylius\\Component\\Core\\Model\\PaymentInterface;\nuse Sylius\\Component\\Core\\OrderCheckoutTransitions;\nuse Sylius\\Component\\Order\\Processor\\OrderProcessorInterface;\nuse Sylius\\PayPalPlugin\\Exception\\PaymentAmountMismatchException;\nuse Sylius\\PayPalPlugin\\Manager\\PaymentStateManagerInterface;\nuse Sylius\\PayPalPlugin\\Provider\\OrderProviderInterface;\nuse Sylius\\PayPalPlugin\\Verifier\\PaymentAmountVerifierInterface;\nuse Symfony\\Component\\HttpFoundation\\JsonResponse;\nuse Symfony\\Component\\HttpFoundation\\Request;\nuse Symfony\\Component\\HttpFoundation\\Response;\nuse Symfony\\Component\\Routing\\Generator\\UrlGeneratorInterface;\n\nfinal class CompletePayPalOrderFromPaymentPageAction\n{\n public function __construct(\n private readonly PaymentStateManagerInterface $paymentStateManager,\n private readonly UrlGeneratorInterface $router,\n private readonly OrderProviderInterface $orderProvider,\n private readonly FactoryInterface|StateMachineInterface $stateMachine,\n private readonly ObjectManager $orderManager,\n private readonly OrderProcessorInterface $orderProcessor,\n ) {\n }\n\n public function __invoke(Request $request): Response\n {\n $orderId = $request-\u003eattributes-\u003egetInt(\u0027id\u0027);\n\n $order = $this-\u003eorderProvider-\u003eprovideOrderById($orderId);\n /** @var PaymentInterface $payment */\n $payment = $order-\u003egetLastPayment(PaymentInterface::STATE_PROCESSING);\n\n try {\n $this-\u003everify($payment);\n } catch (\\Exception) {\n $this-\u003epaymentStateManager-\u003ecancel($payment);\n $order-\u003eremovePayment($payment);\n\n $this-\u003eorderProcessor-\u003eprocess($order);\n\n return new JsonResponse([\n \u0027return_url\u0027 =\u003e $this-\u003erouter-\u003egenerate(\u0027sylius_shop_checkout_complete\u0027, [], UrlGeneratorInterface::ABSOLUTE_URL),\n ]);\n }\n\n $this-\u003epaymentStateManager-\u003ecomplete($payment);\n\n $this-\u003egetStateMachine()-\u003eapply($order, OrderCheckoutTransitions::GRAPH, OrderCheckoutTransitions::TRANSITION_SELECT_PAYMENT);\n $this-\u003egetStateMachine()-\u003eapply($order, OrderCheckoutTransitions::GRAPH, OrderCheckoutTransitions::TRANSITION_COMPLETE);\n\n $this-\u003eorderManager-\u003eflush();\n\n $request-\u003egetSession()-\u003eset(\u0027sylius_order_id\u0027, $order-\u003egetId());\n\n return new JsonResponse([\n \u0027return_url\u0027 =\u003e $this-\u003erouter-\u003egenerate(\u0027sylius_shop_order_thank_you\u0027, [], UrlGeneratorInterface::ABSOLUTE_URL),\n ]);\n }\n\n private function getStateMachine(): StateMachineInterface\n {\n if ($this-\u003estateMachine instanceof FactoryInterface) {\n return new WinzouStateMachineAdapter($this-\u003estateMachine);\n }\n\n return $this-\u003estateMachine;\n }\n\n private function verify(PaymentInterface $payment): void\n {\n $totalAmount = $this-\u003egetTotalPaymentAmountFromPaypal($payment);\n\n if ($payment-\u003egetOrder()-\u003egetTotal() !== $totalAmount) {\n throw new \\Exception();\n }\n }\n\n private function getTotalPaymentAmountFromPaypal(PaymentInterface $payment): int\n {\n $details = $payment-\u003egetDetails();\n\n return $details[\u0027payment_amount\u0027] ?? 0;\n }\n}\n```\n\nAnd to overwrite `CaptureAction` with modified logic:\n\n```php\n\u003c?php\n\ndeclare(strict_types=1);\n\nnamespace App\\Payum\\Action;\n\nuse Payum\\Core\\Action\\ActionInterface;\nuse Payum\\Core\\Exception\\RequestNotSupportedException;\nuse Payum\\Core\\Request\\Capture;\nuse Sylius\\Component\\Core\\Model\\PaymentInterface;\nuse Sylius\\Component\\Core\\Model\\PaymentMethodInterface;\nuse Sylius\\PayPalPlugin\\Api\\CacheAuthorizeClientApiInterface;\nuse Sylius\\PayPalPlugin\\Api\\CreateOrderApiInterface;\nuse Sylius\\PayPalPlugin\\Payum\\Action\\StatusAction;\nuse Sylius\\PayPalPlugin\\Provider\\UuidProviderInterface;\n\nfinal class CaptureAction implements ActionInterface\n{\n public function __construct(\n private CacheAuthorizeClientApiInterface $authorizeClientApi,\n private CreateOrderApiInterface $createOrderApi,\n private UuidProviderInterface $uuidProvider,\n ) {\n }\n\n /** @param Capture $request */\n public function execute($request): void\n {\n RequestNotSupportedException::assertSupports($this, $request);\n\n /** @var PaymentInterface $payment */\n $payment = $request-\u003egetModel();\n /** @var PaymentMethodInterface $paymentMethod */\n $paymentMethod = $payment-\u003egetMethod();\n\n $token = $this-\u003eauthorizeClientApi-\u003eauthorize($paymentMethod);\n\n $referenceId = $this-\u003euuidProvider-\u003eprovide();\n $content = $this-\u003ecreateOrderApi-\u003ecreate($token, $payment, $referenceId);\n\n if ($content[\u0027status\u0027] === \u0027CREATED\u0027) {\n $payment-\u003esetDetails([\n \u0027status\u0027 =\u003e StatusAction::STATUS_CAPTURED,\n \u0027paypal_order_id\u0027 =\u003e $content[\u0027id\u0027],\n \u0027reference_id\u0027 =\u003e $referenceId,\n \u0027payment_amount\u0027 =\u003e $payment-\u003egetAmount(),\n ]);\n }\n }\n\n public function supports($request): bool\n {\n return\n $request instanceof Capture \u0026\u0026\n $request-\u003egetModel() instanceof PaymentInterface\n ;\n }\n}\n\n```\n\nAfter that, register services in the container when using PayPal 1.x:\n\n```yaml\nservices:\n App\\Controller\\ProcessPayPalOrderAction:\n class: App\\Controller\\ProcessPayPalOrderAction\n public: true\n arguments:\n - \u0027@sylius.repository.customer\u0027\n - \u0027@sylius.factory.customer\u0027\n - \u0027@sylius.factory.address\u0027\n - \u0027@sylius.manager.order\u0027\n - \u0027@sylius_abstraction.state_machine\u0027\n - \u0027@Sylius\\PayPalPlugin\\Manager\\PaymentStateManagerInterface\u0027\n - \u0027@Sylius\\PayPalPlugin\\Api\\CacheAuthorizeClientApiInterface\u0027\n - \u0027@Sylius\\PayPalPlugin\\Api\\OrderDetailsApiInterface\u0027\n - \u0027@Sylius\\PayPalPlugin\\Provider\\OrderProviderInterface\u0027\n\n Sylius\\PayPalPlugin\\Controller\\ProcessPayPalOrderAction:\n alias: App\\Controller\\ProcessPayPalOrderAction\n\n App\\Controller\\CompletePayPalOrderFromPaymentPageAction:\n class: App\\Controller\\CompletePayPalOrderFromPaymentPageAction\n public: true\n arguments:\n - \u0027@Sylius\\PayPalPlugin\\Manager\\PaymentStateManagerInterface\u0027\n - \u0027@router\u0027\n - \u0027@Sylius\\PayPalPlugin\\Provider\\OrderProviderInterface\u0027\n - \u0027@sylius_abstraction.state_machine\u0027\n - \u0027@sylius.manager.order\u0027\n - \u0027@sylius.order_processing.order_processor\u0027\n\n Sylius\\PayPalPlugin\\Controller\\CompletePayPalOrderFromPaymentPageAction:\n alias: App\\Controller\\CompletePayPalOrderFromPaymentPageAction\n\n Sylius\\PayPalPlugin\\Payum\\Action\\CaptureAction:\n class: App\\Payum\\Action\\CaptureAction\n public: true\n arguments:\n - \u0027@Sylius\\PayPalPlugin\\Api\\CacheAuthorizeClientApiInterface\u0027\n - \u0027@Sylius\\PayPalPlugin\\Api\\CreateOrderApiInterface\u0027\n - \u0027@Sylius\\PayPalPlugin\\Provider\\UuidProviderInterface\u0027\n tags:\n - { name: \u0027payum.action\u0027, factory: \u0027sylius.pay_pal\u0027, alias: \u0027payum.action.capture\u0027 }\n```\n\nor when using PayPal 2.x:\n\n```yaml\nservices:\n App\\Controller\\ProcessPayPalOrderAction:\n class: App\\Controller\\ProcessPayPalOrderAction\n public: true\n arguments:\n - \u0027@sylius.repository.customer\u0027\n - \u0027@sylius.factory.customer\u0027\n - \u0027@sylius.factory.address\u0027\n - \u0027@sylius.manager.order\u0027\n - \u0027@sylius_abstraction.state_machine\u0027\n - \u0027@sylius_paypal.manager.payment_state\u0027\n - \u0027@sylius_paypal.api.cache_authorize_client\u0027\n - \u0027@sylius_paypal.api.order_details\u0027\n - \u0027@sylius_paypal.provider.order\u0027\n\n sylius_paypal.controller.process_paypal_order:\n alias: App\\Controller\\ProcessPayPalOrderAction\n\n App\\Controller\\CompletePayPalOrderFromPaymentPageAction:\n class: App\\Controller\\CompletePayPalOrderFromPaymentPageAction\n public: true\n arguments:\n - \u0027@sylius_paypal.manager.payment_state\u0027\n - \u0027@router\u0027\n - \u0027@sylius_paypal.provider.order\u0027\n - \u0027@sylius_abstraction.state_machine\u0027\n - \u0027@sylius.manager.order\u0027\n - \u0027@sylius.order_processing.order_processor\u0027\n\n sylius_paypal.controller.complete_paypal_order_from_payment_page:\n alias: App\\Controller\\CompletePayPalOrderFromPaymentPageAction\n\n sylius_paypal.payum.action.capture:\n class: App\\Payum\\Action\\CaptureAction\n public: true\n arguments:\n - \u0027@sylius_paypal.api.cache_authorize_client\u0027\n - \u0027@sylius_paypal.api.create_order\u0027\n - \u0027@sylius_paypal.provider.uuid\u0027\n tags:\n - { name: \u0027payum.action\u0027, factory: \u0027sylius.paypal\u0027, alias: \u0027payum.action.capture\u0027 }\n```\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Sylius issues](https://github.com/Sylius/Sylius/issues)\n* Email us at security@sylius.com",
"id": "GHSA-pqq3-q84h-pj6x",
"modified": "2025-03-17T21:26:51Z",
"published": "2025-03-17T21:26:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Sylius/PayPalPlugin/security/advisories/GHSA-pqq3-q84h-pj6x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29788"
},
{
"type": "WEB",
"url": "https://github.com/Sylius/PayPalPlugin/commit/31e71b0457e5d887a6c19f8cfabb8b16125ec406"
},
{
"type": "WEB",
"url": "https://github.com/Sylius/PayPalPlugin/commit/8a81258f965b7860d4bccb52942e4c5b53e6774d"
},
{
"type": "PACKAGE",
"url": "https://github.com/Sylius/PayPalPlugin"
},
{
"type": "WEB",
"url": "https://github.com/Sylius/PayPalPlugin/releases/tag/v1.6.1"
},
{
"type": "WEB",
"url": "https://github.com/Sylius/PayPalPlugin/releases/tag/v1.7.1"
},
{
"type": "WEB",
"url": "https://github.com/Sylius/PayPalPlugin/releases/tag/v2.0.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Sylius PayPal Plugin Payment Amount Manipulation Vulnerability"
}
GHSA-PWMV-QPCH-986C
Vulnerability from github – Published: 2026-06-05 00:31 – Updated: 2026-06-05 03:31Integer overflow in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2026-10963"
],
"database_specific": {
"cwe_ids": [
"CWE-472"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-04T23:16:59Z",
"severity": "HIGH"
},
"details": "Integer overflow in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-pwmv-qpch-986c",
"modified": "2026-06-05T03:31:32Z",
"published": "2026-06-05T00:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10963"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/511218177"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PWVQ-679H-C42J
Vulnerability from github – Published: 2026-04-09 00:32 – Updated: 2026-04-09 18:31Integer overflow in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted video file. (Chromium security severity: Low)
{
"affected": [],
"aliases": [
"CVE-2026-5908"
],
"database_specific": {
"cwe_ids": [
"CWE-472"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-08T22:16:30Z",
"severity": "HIGH"
},
"details": "Integer overflow in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted video file. (Chromium security severity: Low)",
"id": "GHSA-pwvq-679h-c42j",
"modified": "2026-04-09T18:31:26Z",
"published": "2026-04-09T00:32:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5908"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/485115554"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q2HX-7C42-VRHR
Vulnerability from github – Published: 2026-05-29 00:38 – Updated: 2026-05-29 18:31Integer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2026-10019"
],
"database_specific": {
"cwe_ids": [
"CWE-472"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-28T23:16:43Z",
"severity": "HIGH"
},
"details": "Integer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)",
"id": "GHSA-q2hx-7c42-vrhr",
"modified": "2026-05-29T18:31:22Z",
"published": "2026-05-29T00:38:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10019"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/505056913"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q35G-37C5-HJJH
Vulnerability from github – Published: 2025-05-11 00:33 – Updated: 2025-05-11 00:33In BlueWave Checkmate through 2.0.2 before b387eba, a profile edit request can include a role parameter.
{
"affected": [],
"aliases": [
"CVE-2025-47817"
],
"database_specific": {
"cwe_ids": [
"CWE-472"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-10T22:15:20Z",
"severity": "HIGH"
},
"details": "In BlueWave Checkmate through 2.0.2 before b387eba, a profile edit request can include a role parameter.",
"id": "GHSA-q35g-37c5-hjjh",
"modified": "2025-05-11T00:33:45Z",
"published": "2025-05-11T00:33:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/bluewave-labs/Checkmate/security/advisories/GHSA-rq7r-p9cq-5q4f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47817"
},
{
"type": "WEB",
"url": "https://github.com/bluewave-labs/Checkmate/pull/2161"
},
{
"type": "WEB",
"url": "https://github.com/bluewave-labs/Checkmate/commit/b387ebaae96fc3a23b090a8baea7a9ebaa70f052"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q3H3-JPFC-G5V7
Vulnerability from github – Published: 2026-04-09 00:32 – Updated: 2026-04-09 18:31Integer overflow in WebRTC in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Low)
{
"affected": [],
"aliases": [
"CVE-2026-5912"
],
"database_specific": {
"cwe_ids": [
"CWE-472"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-08T22:16:31Z",
"severity": "HIGH"
},
"details": "Integer overflow in WebRTC in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Low)",
"id": "GHSA-q3h3-jpfc-g5v7",
"modified": "2026-04-09T18:31:26Z",
"published": "2026-04-09T00:32:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5912"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/486498791"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q44C-8X5P-C44R
Vulnerability from github – Published: 2026-05-06 21:31 – Updated: 2026-05-07 01:05Integer overflow in GPU in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2026-7912"
],
"database_specific": {
"cwe_ids": [
"CWE-472"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-06T19:16:39Z",
"severity": "MODERATE"
},
"details": "Integer overflow in GPU in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-q44c-8x5p-c44r",
"modified": "2026-05-07T01:05:50Z",
"published": "2026-05-06T21:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7912"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/497639714"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
CAPEC-146: XML Schema Poisoning
An adversary corrupts or modifies the content of XML schema information passed between a client and server for the purpose of undermining the security of the target. XML Schemas provide the structure and content definitions for XML documents. Schema poisoning is the ability to manipulate a schema either by replacing or modifying it to compromise the programs that process documents that use this schema.
CAPEC-226: Session Credential Falsification through Manipulation
An attacker manipulates an existing credential in order to gain access to a target application. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. An attacker may be able to manipulate a credential sniffed from an existing connection in order to gain access to a target server.
CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies
This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the adversary to impersonate the remote user/session. The third form is when the cookie's content is modified by the adversary before it is sent back to the server. Here the adversary seeks to convince the target server to operate on this falsified information.
CAPEC-39: Manipulating Opaque Client-based Data Tokens
In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.