GHSA-vxpm-8hcp-qh27

Source

https://github.com/advisories/GHSA-vxpm-8hcp-qh27

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-vxpm-8hcp-qh27/GHSA-vxpm-8hcp-qh27.json

Aliases

CVE-2023-23941

Published

2023-02-03T21:07:28Z

Modified

2023-11-08T04:11:43.458455Z

Details

Impact

If JavaScript-based PayPal checkout methods are used (PayPal Plus, Smart Payment Buttons, SEPA, Pay Later, Venmo, Credit card), the amount and item list sent to PayPal may not be identical to the one in the created order.

Patches

The problem has been fixed with version 5.4.4

Workarounds

Disable the aforementioned payment methods or use the Security Plugin in version >= 1.0.21.

References

Shopware blog post

References

Affected packages

Packagist / swag/paypal

Package

Name: swag/paypal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

5.4.4

Affected versions

0.*

0.9.0

0.10.0

0.10.1

0.11.0

0.11.1

0.12.0

0.13.0

1.*

1.0.0

1.1.0

1.1.1

1.2.0

1.3.0

1.3.1

1.4.0

1.5.0

1.5.1

1.5.2

1.6.0

1.7.0

1.7.1

1.7.2

1.7.3

1.8.0

1.8.1

1.8.2

1.8.3

1.8.4

1.9.0

1.9.1

1.9.2

1.9.3

1.10.0

2.*

2.0.0

2.0.1

2.0.2

2.1.0

2.1.1

2.1.2

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.1.0

3.2.0

3.2.1

3.3.0

3.3.1

3.3.1.1

3.4.0

3.5.0

4.*

4.0.0

4.1.0

4.1.1

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.1.0

5.1.1

5.1.2

5.2.0

5.3.0

5.3.1

5.3.2

5.4.0

5.4.1

5.4.2

5.4.3