Versions 2.x.x and earlier of
paypal-ipn are affected by a validation bypass vulnerability.
paypal-ipn uses the
test_ipn parameter (which is set by the PayPal IPN simulator) to determine if it should use the production PayPal site or the sandbox.
A motivated attacker could craft a request string using the simulator to fool the application into entering the sandbox mode, potentially allowing purchases without valid payment.
Upgrade to version 3.0.0 or later.
publishedAdvisory publishedDec 3rd, 2014
reportedInitial report by Martin AngelovOct 17th, 2015