7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-41120

GHSA ID

GHSA-25fx-mxc2-76g7

EPSS Score

0.57876%

CWE

CWE-200

Published

10/6/2021

Updated

1/27/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-41120

CVE-2021-41120: Sylius PayPal Plugin allows unauthorized access to Credit card form, exposing payer name and not requiring 3DS

Impact

URL to the payment page done after checkout was created with autoincremented payment id (/pay-with-paypal/{id}) and therefore it was easy to access for anyone, not even the order's customer. The problem was, the Credit card form has prefilled "credit card holder" field with the Customer's first and last name. Additionally, the mentioned form did not require a 3D Secure authentication, as well as did not checked the result of the 3D Secure authentication.

Patches

The problem has been patched in Sylius/PayPalPlugin 1.2.4 and 1.3.1

Workarounds

One can override a sylius_paypal_plugin_pay_with_paypal_form route and change its URL parameters to (for example) {orderToken}/{paymentId}, then override the Sylius\PayPalPlugin\Controller\PayWithPayPalFormAction service, to operate on the payment taken from the repository by these 2 values. It would also require usage of custom repository method. Additionally, one could override the @SyliusPayPalPlugin/payWithPaypal.html.twig template, to add contingencies: ['SCA_ALWAYS'] line in hostedFields.submit(...) function call (line 421). It would then have to be handled in the function callback.

For more information

If you have any questions or comments about this advisory:

Open an issue in Sylius/PayPalPlugin issues
Email us at security at sylius dot com

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-41120

GHSA ID

GHSA-25fx-mxc2-76g7

EPSS Score

0.57876%

CWE

CWE-200

Published

10/6/2021

Updated

1/27/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
sylius/paypal-plugin	composer	>= 1.0.0, < 1.2.4	1.2.4
sylius/paypal-plugin	composer	>= 1.3.0, < 1.3.1	1.3.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The payment form route used predictable IDs without order token validation (Authorization Bypass via CWE-639), fixed by adding dual-parameter lookup in PayWithPayPalFormAction. 2. The Twig template's JavaScript integration lacked 3DS enforcement and result validation, allowing unauthenticated payments and PII exposure through prefilled names, addressed by adding contingencies parameter and authentication checks in the patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t URL to t** p*ym*nt p*** *on* **t*r ****kout w*s *r**t** wit* *utoin*r*m*nt** p*ym*nt i* (`/p*y-wit*-p*yp*l/{i*}`) *n* t**r**or* it w*s **sy to ****ss *or *nyon*, not *v*n t** or**r's *ustom*r. T** pro*l*m w*s, t** *r**it **r* *orm **s pr**

Reasoning

*. T** p*ym*nt *orm rout* us** pr**i*t**l* I*s wit*out or**r tok*n v*li**tion (*ut*oriz*tion *yp*ss vi* *W*-***), *ix** *y ***in* *u*l-p*r*m*t*r lookup in P*yWit*P*yP*l*orm**tion. *. T** Twi* t*mpl*t*'s J*v*S*ript int**r*tion l**k** **S *n*or**m*nt *

7.5

Basic Information

Concerned about an active attack path?

CVE-2021-41120: Sylius PayPal Plugin allows unauthorized access to Credit card form, exposing payer name and not requiring 3DS

Impact

Patches

Workarounds

For more information

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI