VYPR

Vendor CVEs

Paypal

All CVEs

25 total · sorted by risk
  • CVE-2013-7202HigApr 27, 2018
    risk 0.53cvss 8.1epss 0.02

    The WebHybridClient class in PayPal 5.3 and earlier for Android allows remote attackers to execute arbitrary JavaScript on the system.

  • CVE-2013-7201HigApr 27, 2018
    risk 0.48cvss 7.4epss 0.02

    WebHybridClient.java in PayPal 5.3 and earlier for Android ignores SSL errors, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information.

  • CVE-2017-6099MedFeb 24, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in GetAuthDetails.html.php in PayPal PHP Merchant SDK (aka merchant-sdk-php) 3.9.1 allows remote attackers to inject arbitrary web script or HTML via the token parameter.

  • CVE-2008-6535Mar 26, 2009
    risk 0.04cvss epss 0.06

    admin/settings.php in PayPal eStores allows remote attackers to bypass intended access restrictions and change the administrative password via a direct request with a modified NewAdmin parameter.

  • CVE-2024-33974Aug 6, 2024
    risk 0.00cvss epss 0.00

    SQL injection vulnerability in PayPal, Credit Card and Debit Card Payment affecting version 1.0. An attacker could exploit this vulnerability by sending a specially crafted query to the server and retrieve all the information stored in it through the following 'Users in…

  • CVE-2024-33973Aug 6, 2024
    risk 0.00cvss epss 0.00

    SQL injection vulnerability in PayPal, Credit Card and Debit Card Payment affecting version 1.0. An attacker could exploit this vulnerability by sending a specially crafted query to the server and retrieve all the information stored in it through the following 'Attendance'…

  • CVE-2024-33980Aug 6, 2024
    risk 0.00cvss epss 0.00

    Cross-Site Scripting (XSS) vulnerability in PayPal, Credit Card and Debit Card Payment affecting version 1.0. An attacker could create a specially crafted URL and send it to a victim to obtain details of their session cookie via the 'start' parameter in…

  • CVE-2022-23410Feb 14, 2022
    risk 0.00cvss epss 0.00

    AXIS IP Utility before 4.18.0 allows for remote code execution and local privilege escalation by the means of DLL hijacking. IPUtility.exe would attempt to load DLLs from its current working directory which could allow for remote code execution if a compromised DLL would be…

  • CVE-2011-5237Nov 6, 2012
    risk 0.00cvss epss 0.01

    PayPal WPS ToolKit does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

  • CVE-2012-5806Nov 4, 2012
    risk 0.00cvss epss 0.01

    The PayPal Payments Pro module in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid…

  • CVE-2012-5805Nov 4, 2012
    risk 0.00cvss epss 0.01

    The PayPal IPN functionality in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid…

  • CVE-2012-5802Nov 4, 2012
    risk 0.00cvss epss 0.01

    The PayPal module in Ubercart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

  • CVE-2012-5798Nov 4, 2012
    risk 0.00cvss epss 0.01

    The PayPal Pro PayFlow EC module in osCommerce does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid…

  • CVE-2012-5796Nov 4, 2012
    risk 0.00cvss epss 0.01

    The PayPal Pro module in osCommerce does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

  • CVE-2012-5791Nov 4, 2012
    risk 0.00cvss epss 0.01

    PayPal Invoicing does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

  • CVE-2012-5790Nov 4, 2012
    risk 0.00cvss epss 0.01

    PayPal Payments Standard PHP Library 20120427 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid…

  • CVE-2012-5789Nov 4, 2012
    risk 0.00cvss epss 0.01

    PayPal Payments Standard PHP Library before 20120427 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary…

  • CVE-2012-5788Nov 4, 2012
    risk 0.00cvss epss 0.01

    The PayPal IPN utility does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to…

  • CVE-2012-5787Nov 4, 2012
    risk 0.00cvss epss 0.01

    The PayPal merchant SDK does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

  • CVE-2012-5784Nov 4, 2012
    risk 0.00cvss epss 0.06

    Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's…

  • CVE-2012-2991Sep 19, 2012
    risk 0.00cvss epss 0.01

    The PayPal (aka MODULE_PAYMENT_PAYPAL_STANDARD) module before 1.1 in osCommerce Online Merchant before 2.3.4 allows remote attackers to set the payment recipient via a modified value of the merchant's e-mail address, as demonstrated by setting the recipient to one's self.

  • CVE-2012-2058Sep 17, 2012
    risk 0.00cvss epss 0.01

    The Ubercart Payflow module for Drupal does not use a secure token, which allows remote attackers to forge payments via unspecified vectors.

  • CVE-2010-4211Nov 9, 2010
    risk 0.00cvss epss 0.00

    The PayPal app before 3.0.1 for iOS does not verify that the server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof a PayPal web server via an arbitrary certificate.

  • CVE-2006-0202Jan 13, 2006
    risk 0.00cvss epss 0.00

    Dave Nielsen and Patrick Breitenbach PayPal Web Services (aka PHP Toolkit) 0.50 and possibly earlier has (1) world-readable permissions for ipn/logs/ipn_success.txt, which allows local users to view sensitive information (payment data), and (2) world-writable permissions for…

  • CVE-2006-0201Jan 13, 2006
    risk 0.00cvss epss 0.01

    Dave Nielsen and Patrick Breitenbach PayPal Web Services (aka PHP Toolkit) 0.50, and possibly earlier versions, allows remote attackers to enter false payment entries into the log file via HTTP POST requests to ipn_success.php.