Validation Bypass

Affecting paypal-ipn package, versions <3.0.0

Do your applications use this vulnerable package? Test your applications

Overview

paypal-ipn uses the test_ipn parameter (which is set by the PayPal IPN simulator) to determine if it should use the production PayPal site or the sandbox.

"With a bit of time, an attacker could craft a request using the simulator that would fool any application which does not explicitly check for test_ipn in production." [1]

Source: Node Security Project

Remediation

Upgrade to version 3.0.0 or greater.

References

CVSS Score

6.5
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Credit
Martin Angelov
CVE
CVE-2014-10067
CWE
CWE-284
Snyk ID
npm:paypal-ipn:20141203
Disclosed
03 Dec, 2014
Published
03 Dec, 2014