Medium severity6.1NVD Advisory· Published Feb 24, 2017· Updated May 13, 2026
CVE-2017-6099
CVE-2017-6099
Description
Cross-site scripting (XSS) vulnerability in GetAuthDetails.html.php in PayPal PHP Merchant SDK (aka merchant-sdk-php) 3.9.1 allows remote attackers to inject arbitrary web script or HTML via the token parameter.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
paypal/merchant-sdk-phpPackagist | >= 3.0.0, < 3.12.0 | 3.12.0 |
Affected products
1- cpe:2.3:a:paypal:merchant-sdk-php:3.9.1:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/paypal/merchant-sdk-php/issues/129nvdExploitThird Party AdvisoryWEB
- www.securityfocus.com/bid/96432nvdThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-p4g7-wjhq-9r2hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-6099ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/paypal/merchant-sdk-php/CVE-2017-6099.yamlghsaWEB
News mentions
0No linked articles in our index yet.