CVE-2017-6217

Vulnerability

Overview

The PayPal Adaptive Payments SDK for PHP version 3.9.2 contains a reflected cross-site scripting (XSS) vulnerability in the SetPaymentOptions.php file [1]. This flaw allows an attacker to inject arbitrary HTML and JavaScript into the application's response, leading to client-side code execution.

Exploitation

The vulnerability is reflected, meaning the attacker must craft a malicious URL containing the XSS payload and convince a victim to click it. No prior authentication is required for the XSS to execute in the victim's browser. The SetPaymentOptions.php endpoint does not properly sanitize user input, enabling the injection.

Impact

Successful exploitation can result in arbitrary code execution within the user's browser session. This could allow the attacker to steal sensitive information such as session cookies, perform actions on behalf of the user, or redirect the user to malicious websites.

Mitigation

The issue was reported on the project's GitHub repository [1]. Users are advised to upgrade to a patched version or apply input validation/sanitization as a workaround. The SDK may be deprecated; consult the vendor for current support.