CVE-2017-6213

Vulnerability

The paypal/invoice-sdk-php library contains a reflected cross-site scripting (XSS) vulnerability in the samples/permissions.php script, specifically in the handling of the permToken parameter. An attacker can inject arbitrary JavaScript or HTML that is reflected back to the user without proper sanitization or encoding. The affected versions include the paypal/invoice-sdk-php package before a fix was applied (the exact version range is not specified in available references, but the issue is present in the codebase at the time of the CVE publication [1]).

Exploitation

To exploit this vulnerability, an attacker needs to craft a malicious URL containing a permToken parameter with a payload (e.g., ``). The attacker then tricks the victim into visiting this URL on a site running the vulnerable SDK. No authentication or special privileges are required; the attack is entirely over HTTP/HTTPS and relies on social engineering to deliver the link. When the victim's browser loads the page, the injected script executes in the context of the vulnerable domain [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session on the affected domain. This can lead to session hijacking, data theft (e.g., phishing, stealing cookies), defacement, or redirecting to malicious sites. The impact is limited to the browser and the user's interactions, but it can compromise the confidentiality and integrity of data accessible via that session [1].

Mitigation

The vendor (PayPal) has fixed this vulnerability in later versions of the SDK; however, specific fixed version numbers are not provided in the available references [1]. Users should update to the latest version of paypal/invoice-sdk-php and ensure no uses of samples/permissions.php are exposed in production environments. As a workaround, the sample file should not be deployed on live servers. No CISA KEV listing was identified at the time of writing.