Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wNGc3LXdqaHEtOXIyaM4AAT5T
PayPal PHP Merchant SDK Cross-site scripting (XSS) vulnerability
Cross-site scripting (XSS) vulnerability in GetAuthDetails.html.php in PayPal PHP Merchant SDK (aka merchant-sdk-php) 3.9.1 allows remote attackers to inject arbitrary web script or HTML via the token parameter.
Permalink: https://github.com/advisories/GHSA-p4g7-wjhq-9r2hJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wNGc3LXdqaHEtOXIyaM4AAT5T
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 23 days ago
CVSS Score: 6.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-p4g7-wjhq-9r2h, CVE-2017-6099
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-6099
- https://github.com/paypal/merchant-sdk-php/issues/129
- http://www.securityfocus.com/bid/96432
- https://github.com/FriendsOfPHP/security-advisories/blob/master/paypal/merchant-sdk-php/CVE-2017-6099.yaml
- https://github.com/advisories/GHSA-p4g7-wjhq-9r2h
Blast Radius: 12.5
Affected Packages
packagist:paypal/merchant-sdk-php
Dependent packages: 16Dependent repositories: 110
Downloads: 4,290,072 total
Affected Version Ranges: >= 3.0.0, < 3.12.0
Fixed in: 3.12.0
All affected versions: 3.4.102, 3.5.103, 3.6.106, 3.8.106, 3.8.107, 3.9.0, 3.9.1, 3.10.0, 3.11.0
All unaffected versions: 2.2.98, 2.3.100, 2.3.101, 2.4.103, 2.5.106, 2.6.112, 2.7.113, 2.8.114, 2.9.115, 2.10.116, 2.11.117, 2.11.118, 3.12.0