npm

Severity: critical

Validation Bypass

paypal-ipn

Overview

Versions 2.x.x and earlier of paypal-ipn are affected by a validation bypass vulnerability.

paypal-ipn uses the test_ipn parameter (which is set by the PayPal IPN simulator) to determine if it should use the production PayPal site or the sandbox.

A motivated attacker could craft a request string using the simulator to fool the application into entering the sandbox mode, potentially allowing purchases without valid payment.

Remediation

Upgrade to version 3.0.0 or later.

Resources

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. reported

    Initial report by Martin Angelov
    Oct 17th, 2015
  2. published

    Advisory published
    Dec 3rd, 2014