CVE-2017-6215
Description
A reflected XSS vulnerability in PayPal Permissions SDK for PHP samples allows arbitrary JavaScript execution via the verification_code parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A reflected XSS vulnerability in PayPal Permissions SDK for PHP samples allows arbitrary JavaScript execution via the verification_code parameter.
Vulnerability
A reflected cross-site scripting (XSS) vulnerability exists in the paypal/permissions-sdk-php SDK sample file samples/GetAccessToken.php. The verification_code HTTP GET parameter is echoed back into the page without proper sanitization or output encoding [1][4]. This occurs on line 24 of the sample file, where $_REQUEST['verification_code'] is used directly in the HTML output [4]. Affected versions include all versions of the deprecated SDK library, as the sample file has not been patched to filter the parameter [2].
Exploitation
An attacker can craft a malicious URL containing JavaScript payload in the verification_code parameter. For example: http:///permissions-sdk-php-master/samples/GetAccessToken.php?verification_code=">". When a victim visits this URL, the browser executes the injected script in the context of the vulnerable domain [4]. No authentication or special privileges are required beyond the victim visiting the attacker's link. The attacker can embed this URL in phishing emails, forum posts, or other social engineering vectors.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, cookie theft, defacement of the page, or redirection to malicious sites [1][4]. The impact is limited to the sample application's context, but if the sample is hosted on a production domain with access to cookies or session tokens for the legitimate PayPal integration, the attacker could potentially steal sensitive data associated with that domain.
Mitigation
PayPal has deprecated the permissions-sdk-php library and recommends migrating to the new Server SDK [2]. A commit (a897893) added a .gitattributes file to exclude the samples directory from release archives, but this does not fix the XSS vulnerability itself [3]. Administrators should remove or restrict access to the samples/GetAccessToken.php file from production environments. As of the publication date (2018-08-02), no patched version of the sample file is available. The repository is archived and no further updates are expected [4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
paypal/permissions-sdk-phpPackagist | <= 3.9.1 | — |
Affected products
1Patches
1a897893d467cMerge pull request #21 from paypal/gitattributes
1 file changed · +1 −0
.gitattributes+1 −0 added@@ -0,0 +1 @@ +samples/ export-ignore
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-2qfv-wwfx-fh34ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-6215ghsaADVISORY
- github.com/paypal/permissions-sdk-php/commit/a897893d467ca50b9b024b21bd8072ceb3bf2cf8ghsaWEB
- github.com/paypal/permissions-sdk-php/issues/19ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.