FKIE_CVE-2024-41670

Vulnerability from fkie_nvd - Published: 2024-07-26 15:15 - Updated: 2026-04-15 00:35
Severity
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
In the module "PayPal Official" for PrestaShop 7+ releases prior to version 6.4.2 and for PrestaShop 1.6 releases prior to version 3.18.1, a malicious customer can confirm an order even if payment is finally declined by PayPal. A logical weakness during the capture of a payment in case of disabled webhooks can be exploited to create an accepted order. This could allow a threat actor to confirm an order with a fraudulent payment support. Versions 6.4.2 and 3.18.1 contain a patch for the issue. Additionally, users enable webhooks and check they are callable.
References
security-advisories@github.comhttps://github.com/202ecommerce/paypal/security/advisories/GHSA-w3w3-j3mh-3354
af854a3a-2127-422b-91ae-364da2661108https://github.com/202ecommerce/paypal/security/advisories/GHSA-w3w3-j3mh-3354
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the module \"PayPal Official\" for PrestaShop 7+ releases prior to version 6.4.2 and for PrestaShop 1.6 releases prior to version 3.18.1, a malicious customer can confirm an order even if payment is finally declined by PayPal. A logical weakness during the capture of a payment in case of disabled webhooks can be exploited to create an accepted order. This could allow a threat actor to confirm an order with a fraudulent payment support. Versions 6.4.2 and 3.18.1 contain a patch for the issue. Additionally, users enable webhooks and check they are callable."
    },
    {
      "lang": "es",
      "value": " En el m\u00f3dulo \"PayPal Official\" para las versiones PrestaShop 7+ anteriores a la versi\u00f3n 6.4.2 y para las versiones PrestaShop 1.6 anteriores a la versi\u00f3n 3.18.1, un cliente malintencionado puede confirmar un pedido incluso si PayPal finalmente rechaza el pago. Una debilidad l\u00f3gica durante la captura de un pago en caso de webhooks deshabilitados se puede aprovechar para crear un pedido aceptado. Esto podr\u00eda permitir que un actor de amenazas confirme un pedido con un soporte de pago fraudulento. Las versiones 6.4.2 y 3.18.1 contienen un parche para el problema. Adem\u00e1s, los usuarios habilitan webhooks y verifican que se puedan llamar."
    }
  ],
  "id": "CVE-2024-41670",
  "lastModified": "2026-04-15T00:35:42.020",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-07-26T15:15:11.053",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/202ecommerce/paypal/security/advisories/GHSA-w3w3-j3mh-3354"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/202ecommerce/paypal/security/advisories/GHSA-w3w3-j3mh-3354"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-285"
        },
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.