Aggregates CVE and security vulnerability intelligence across all paypal-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk input validation and vendor risk cross-site scripting and related problems; some flaws may lead to vendor impact unexpected behavior and vendor impact session compromise.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2022-48345 | sanitize-url (aka @braintree/sanitize-url) before 6.0.2 allows XSS via HTML entities. | [email protected] | 6.1 | 0.58% | 2023-02-24 | 2025-03-12 |
| CVE-2022-21129 | Versions of the package nemo-appium before 0.0.9 are vulnerable to Command Injection due to improper input sanitization in the 'module.exports.setup' function. **Note:** In order to exploit this vulnerability appium-running 0.1.3 has to be installed as one of nemo-appium dependencies. | [email protected] | 7.4 | 2.77% | 2023-01-31 | 2025-03-27 |
| CVE-2021-23648 | The package @braintree/sanitize-url before 6.0.0 are vulnerable to Cross-site Scripting (XSS) due to improper sanitization in sanitizeUrl function. | [email protected] | 5.4 | 1.42% | 2022-03-16 | 2024-11-21 |
| CVE-2017-6217 | paypal/adaptivepayments-sdk-php v3.9.2 is vulnerable to a reflected XSS in the SetPaymentOptions.php resulting code execution | [email protected] | 6.1 | 1.24% | 2019-07-10 | 2024-11-21 |
| CVE-2017-6215 | paypal/permissions-sdk-php is vulnerable to reflected XSS in the samples/GetAccessToken.php verification_code parameter, resulting in code execution. | [email protected] | 5.4 | 0.80% | 2018-08-02 | 2024-11-21 |
| CVE-2017-6213 | paypal/invoice-sdk-php is vulnerable to reflected XSS in samples/permissions.php via the permToken parameter, resulting in code execution. | [email protected] | 5.4 | 0.80% | 2018-08-02 | 2024-11-21 |
| CVE-2013-7202 | The WebHybridClient class in PayPal 5.3 and earlier for Android allows remote attackers to execute arbitrary JavaScript on the system. | [email protected] | 8.1 | 2.18% | 2018-04-27 | 2024-11-21 |
| CVE-2013-7201 | WebHybridClient.java in PayPal 5.3 and earlier for Android ignores SSL errors, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information. | [email protected] | 7.4 | 1.87% | 2018-04-27 | 2024-11-21 |
| CVE-2017-6099 | Cross-site scripting (XSS) vulnerability in GetAuthDetails.html.php in PayPal PHP Merchant SDK (aka merchant-sdk-php) 3.9.1 allows remote attackers to inject arbitrary web script or HTML via the token parameter. | [email protected] | 6.1 | 1.24% | 2017-02-24 | 2026-05-13 |
| CVE-2011-5237 | PayPal WPS ToolKit does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | [email protected] | 5.8 | 0.53% | 2012-11-06 | 2026-04-29 |
| CVE-2012-5806 | The PayPal Payments Pro module in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to use of the PHP fsockopen function, a different vulnerability than CVE-2012-5805. | [email protected] | 5.8 | 0.57% | 2012-11-04 | 2026-04-29 |
| CVE-2012-5805 | The PayPal IPN functionality in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, a different vulnerability than CVE-2012-5806. | [email protected] | 5.8 | 0.57% | 2012-11-04 | 2026-04-29 |
| CVE-2012-5802 | The PayPal module in Ubercart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | [email protected] | 5.8 | 0.57% | 2012-11-04 | 2026-04-29 |
| CVE-2012-5798 | The PayPal Pro PayFlow EC module in osCommerce does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | [email protected] | 5.8 | 0.57% | 2012-11-04 | 2026-04-29 |
| CVE-2012-5796 | The PayPal Pro module in osCommerce does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | [email protected] | 5.8 | 0.57% | 2012-11-04 | 2026-04-29 |
| CVE-2012-5791 | PayPal Invoicing does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | [email protected] | 5.8 | 0.57% | 2012-11-04 | 2026-04-29 |
| CVE-2012-5790 | PayPal Payments Standard PHP Library 20120427 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to misinterpretation of a certain TRUE value. | [email protected] | 5.8 | 0.57% | 2012-11-04 | 2026-04-29 |
| CVE-2012-5789 | PayPal Payments Standard PHP Library before 20120427 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to intentional disabling of certificate-validation checks through a "FALSE" value. | [email protected] | 5.8 | 0.57% | 2012-11-04 | 2026-04-29 |
| CVE-2012-5788 | The PayPal IPN utility does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to use of the PHP fsockopen function. | [email protected] | 5.8 | 0.57% | 2012-11-04 | 2026-04-29 |
| CVE-2012-5787 | The PayPal merchant SDK does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | [email protected] | 5.8 | 0.91% | 2012-11-04 | 2026-04-29 |