Paymenter has Blind Unauthenticated SSRF on the Paypal gateway module
Description
Summary
The PayPal webhook endpoint /extensions/paypal/webhook processes the PAYPAL-CERT-URL HTTP header without validation, allowing attackers to control server-side HTTP request destinations.
Technical details:
The /extensions/paypal/webhook endpoint processes incoming webhook requests and trusts the value of the PAYPAL-CERT-URL HTTP header without validation.
This value is passed directly into a server-side HTTP request via file_get_contents, allowing attackers to control the destination of the request. No allowlist, validation, or signature verification is applied to the header before usage.
As a result, the application can be coerced into performing HTTP requests to attacker-controlled or internal network destinations.
Impact
This vulnerability allows remote unauthenticated attackers to induce server-side HTTP GET requests to arbitrary external or internal endpoints.
Depending on network configuration, this may lead to:
- Blind SSRF to external attacker-controlled systems
- Potential access to internal network services
No direct response data is returned to the attacker (blind SSRF), but the issue may still enable sensitive network probing or data exfiltration via side channels.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
paymenter/paymenterPackagist | < 1.5.0 | 1.5.0 |
Affected products
1Patches
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2News mentions
0No linked articles in our index yet.