CVE-2024-41670

In the module "PayPal Official" for PrestaShop 7+ releases prior to version 6.4.2 and for PrestaShop 1.6 releases prior to version 3.18.1, a malicious customer can confirm an order even if payment is finally declined by PayPal. A logical weakness during the capture of a payment in case of disabled webhooks can be exploited to create an accepted order. This could allow a threat actor to confirm an order with a fraudulent payment support. Versions 6.4.2 and 3.18.1 contain a patch for the issue. Additionally, users enable webhooks and check they are callable.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/202ecommerce/paypal/security/advisories/GHSA-w3w3-j3mh-3354
https://github.com/202ecommerce/paypal/security/advisories/GHSA-w3w3-j3mh-3354

Configurations

No configuration.

History

No history.

Information

Published : 2024-07-26 15:15

Updated : 2024-11-21 09:32

NVD link : CVE-2024-41670

Mitre link : CVE-2024-41670

CVE.ORG link : CVE-2024-41670

JSON object : View

Products Affected

No product.

CWE

CWE-285

Improper Authorization

CWE-863

Incorrect Authorization

{"id": "CVE-2024-41670", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-07-26T15:15:11.053", "references": [{"url": "https://github.com/202ecommerce/paypal/security/advisories/GHSA-w3w3-j3mh-3354", "source": "security-advisories@github.com"}, {"url": "https://github.com/202ecommerce/paypal/security/advisories/GHSA-w3w3-j3mh-3354", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "In the module \"PayPal Official\" for PrestaShop 7+ releases prior to version 6.4.2 and for PrestaShop 1.6 releases prior to version 3.18.1, a malicious customer can confirm an order even if payment is finally declined by PayPal. A logical weakness during the capture of a payment in case of disabled webhooks can be exploited to create an accepted order. This could allow a threat actor to confirm an order with a fraudulent payment support. Versions 6.4.2 and 3.18.1 contain a patch for the issue. Additionally, users enable webhooks and check they are callable."}, {"lang": "es", "value": " En el m\u00f3dulo \"PayPal Official\" para las versiones PrestaShop 7+ anteriores a la versi\u00f3n 6.4.2 y para las versiones PrestaShop 1.6 anteriores a la versi\u00f3n 3.18.1, un cliente malintencionado puede confirmar un pedido incluso si PayPal finalmente rechaza el pago. Una debilidad l\u00f3gica durante la captura de un pago en caso de webhooks deshabilitados se puede aprovechar para crear un pedido aceptado. Esto podr\u00eda permitir que un actor de amenazas confirme un pedido con un soporte de pago fraudulento. Las versiones 6.4.2 y 3.18.1 contienen un parche para el problema. Adem\u00e1s, los usuarios habilitan webhooks y verifican que se puedan llamar."}], "lastModified": "2024-11-21T09:32:56.577", "sourceIdentifier": "security-advisories@github.com"}