CVE-2024-41670 (GCVE-0-2024-41670)
Vulnerability from cvelistv5 – Published: 2024-07-26 14:46 – Updated: 2024-08-02 04:46
VLAI?
Title
PayPal Official Module for PrestaShop has Improperly Implemented Security Check for Standard
Summary
In the module "PayPal Official" for PrestaShop 7+ releases prior to version 6.4.2 and for PrestaShop 1.6 releases prior to version 3.18.1, a malicious customer can confirm an order even if payment is finally declined by PayPal. A logical weakness during the capture of a payment in case of disabled webhooks can be exploited to create an accepted order. This could allow a threat actor to confirm an order with a fraudulent payment support. Versions 6.4.2 and 3.18.1 contain a patch for the issue. Additionally, users enable webhooks and check they are callable.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| 202ecommerce | paypal |
Affected:
< 6.4.2
Affected: < 3.18.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41670",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T15:56:46.794129Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T15:56:54.457Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.667Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/202ecommerce/paypal/security/advisories/GHSA-w3w3-j3mh-3354",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/202ecommerce/paypal/security/advisories/GHSA-w3w3-j3mh-3354"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "paypal",
"vendor": "202ecommerce",
"versions": [
{
"status": "affected",
"version": "\u003c 6.4.2"
},
{
"status": "affected",
"version": "\u003c 3.18.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the module \"PayPal Official\" for PrestaShop 7+ releases prior to version 6.4.2 and for PrestaShop 1.6 releases prior to version 3.18.1, a malicious customer can confirm an order even if payment is finally declined by PayPal. A logical weakness during the capture of a payment in case of disabled webhooks can be exploited to create an accepted order. This could allow a threat actor to confirm an order with a fraudulent payment support. Versions 6.4.2 and 3.18.1 contain a patch for the issue. Additionally, users enable webhooks and check they are callable."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T14:46:14.226Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/202ecommerce/paypal/security/advisories/GHSA-w3w3-j3mh-3354",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/202ecommerce/paypal/security/advisories/GHSA-w3w3-j3mh-3354"
}
],
"source": {
"advisory": "GHSA-w3w3-j3mh-3354",
"discovery": "UNKNOWN"
},
"title": "PayPal Official Module for PrestaShop has Improperly Implemented Security Check for Standard"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41670",
"datePublished": "2024-07-26T14:46:14.226Z",
"dateReserved": "2024-07-18T15:21:47.485Z",
"dateUpdated": "2024-08-02T04:46:52.667Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2024-41670",
"date": "2026-05-05",
"epss": "0.00293",
"percentile": "0.52517"
},
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"In the module \\\"PayPal Official\\\" for PrestaShop 7+ releases prior to version 6.4.2 and for PrestaShop 1.6 releases prior to version 3.18.1, a malicious customer can confirm an order even if payment is finally declined by PayPal. A logical weakness during the capture of a payment in case of disabled webhooks can be exploited to create an accepted order. This could allow a threat actor to confirm an order with a fraudulent payment support. Versions 6.4.2 and 3.18.1 contain a patch for the issue. Additionally, users enable webhooks and check they are callable.\"}, {\"lang\": \"es\", \"value\": \" En el m\\u00f3dulo \\\"PayPal Official\\\" para las versiones PrestaShop 7+ anteriores a la versi\\u00f3n 6.4.2 y para las versiones PrestaShop 1.6 anteriores a la versi\\u00f3n 3.18.1, un cliente malintencionado puede confirmar un pedido incluso si PayPal finalmente rechaza el pago. Una debilidad l\\u00f3gica durante la captura de un pago en caso de webhooks deshabilitados se puede aprovechar para crear un pedido aceptado. Esto podr\\u00eda permitir que un actor de amenazas confirme un pedido con un soporte de pago fraudulento. Las versiones 6.4.2 y 3.18.1 contienen un parche para el problema. Adem\\u00e1s, los usuarios habilitan webhooks y verifican que se puedan llamar.\"}]",
"id": "CVE-2024-41670",
"lastModified": "2024-11-21T09:32:56.577",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
"published": "2024-07-26T15:15:11.053",
"references": "[{\"url\": \"https://github.com/202ecommerce/paypal/security/advisories/GHSA-w3w3-j3mh-3354\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/202ecommerce/paypal/security/advisories/GHSA-w3w3-j3mh-3354\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-285\"}, {\"lang\": \"en\", \"value\": \"CWE-863\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-41670\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-07-26T15:15:11.053\",\"lastModified\":\"2024-11-21T09:32:56.577\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the module \\\"PayPal Official\\\" for PrestaShop 7+ releases prior to version 6.4.2 and for PrestaShop 1.6 releases prior to version 3.18.1, a malicious customer can confirm an order even if payment is finally declined by PayPal. A logical weakness during the capture of a payment in case of disabled webhooks can be exploited to create an accepted order. This could allow a threat actor to confirm an order with a fraudulent payment support. Versions 6.4.2 and 3.18.1 contain a patch for the issue. Additionally, users enable webhooks and check they are callable.\"},{\"lang\":\"es\",\"value\":\" En el m\u00f3dulo \\\"PayPal Official\\\" para las versiones PrestaShop 7+ anteriores a la versi\u00f3n 6.4.2 y para las versiones PrestaShop 1.6 anteriores a la versi\u00f3n 3.18.1, un cliente malintencionado puede confirmar un pedido incluso si PayPal finalmente rechaza el pago. Una debilidad l\u00f3gica durante la captura de un pago en caso de webhooks deshabilitados se puede aprovechar para crear un pedido aceptado. Esto podr\u00eda permitir que un actor de amenazas confirme un pedido con un soporte de pago fraudulento. Las versiones 6.4.2 y 3.18.1 contienen un parche para el problema. Adem\u00e1s, los usuarios habilitan webhooks y verifican que se puedan llamar.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-285\"},{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"references\":[{\"url\":\"https://github.com/202ecommerce/paypal/security/advisories/GHSA-w3w3-j3mh-3354\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/202ecommerce/paypal/security/advisories/GHSA-w3w3-j3mh-3354\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/202ecommerce/paypal/security/advisories/GHSA-w3w3-j3mh-3354\", \"name\": \"https://github.com/202ecommerce/paypal/security/advisories/GHSA-w3w3-j3mh-3354\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T04:46:52.667Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-41670\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-26T15:56:46.794129Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-26T15:56:51.575Z\"}}], \"cna\": {\"title\": \"PayPal Official Module for PrestaShop has Improperly Implemented Security Check for Standard\", \"source\": {\"advisory\": \"GHSA-w3w3-j3mh-3354\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"202ecommerce\", \"product\": \"paypal\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 6.4.2\"}, {\"status\": \"affected\", \"version\": \"\u003c 3.18.1\"}]}], \"references\": [{\"url\": \"https://github.com/202ecommerce/paypal/security/advisories/GHSA-w3w3-j3mh-3354\", \"name\": \"https://github.com/202ecommerce/paypal/security/advisories/GHSA-w3w3-j3mh-3354\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the module \\\"PayPal Official\\\" for PrestaShop 7+ releases prior to version 6.4.2 and for PrestaShop 1.6 releases prior to version 3.18.1, a malicious customer can confirm an order even if payment is finally declined by PayPal. A logical weakness during the capture of a payment in case of disabled webhooks can be exploited to create an accepted order. This could allow a threat actor to confirm an order with a fraudulent payment support. Versions 6.4.2 and 3.18.1 contain a patch for the issue. Additionally, users enable webhooks and check they are callable.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-285\", \"description\": \"CWE-285: Improper Authorization\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"CWE-863: Incorrect Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-07-26T14:46:14.226Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-41670\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-02T04:46:52.667Z\", \"dateReserved\": \"2024-07-18T15:21:47.485Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-07-26T14:46:14.226Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…