Описание
Validation Bypass in paypal-ipn
Versions 2.x.x and earlier of paypal-ipn are affected by a validation bypass vulnerability.
paypal-ipn uses the test_ipn parameter (which is set by the PayPal IPN simulator) to determine if it should use the production PayPal site or the sandbox.
A motivated attacker could craft a request string using the simulator to fool the application into entering the sandbox mode, potentially allowing purchases without valid payment.
Recommendation
Upgrade to version 3.0.0 or later.
Пакеты
paypal-ipn
< 3.0.0
3.0.0
Связанные уязвимости
paypal-ipn before 3.0.0 uses the `test_ipn` parameter (which is set by the PayPal IPN simulator) to determine if it should use the production PayPal site or the sandbox. With a bit of time, an attacker could craft a request using the simulator that would fool any application which does not explicitly check for test_ipn in production.