High severity7.5OSV Advisory· Published Jul 26, 2024· Updated Apr 15, 2026
CVE-2024-41670
CVE-2024-41670
Description
In the module "PayPal Official" for PrestaShop 7+ releases prior to version 6.4.2 and for PrestaShop 1.6 releases prior to version 3.18.1, a malicious customer can confirm an order even if payment is finally declined by PayPal. A logical weakness during the capture of a payment in case of disabled webhooks can be exploited to create an accepted order. This could allow a threat actor to confirm an order with a fraudulent payment support. Versions 6.4.2 and 3.18.1 contain a patch for the issue. Additionally, users enable webhooks and check they are callable.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: 3.11.3, 3.11.4, 3.11.5, …
- Range: <=6.4.2 (PrestaShop 7+), <=3.18.1 (PrestaShop 1.6)
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.