Vulnerabilities > Paypal > Medium

DATE CVE VULNERABILITY TITLE RISK
2023-02-24 CVE-2022-48345 Cross-site Scripting vulnerability in Paypal Braintree/Sanitize-Url
sanitize-url (aka @braintree/sanitize-url) before 6.0.2 allows XSS via HTML entities.
network
low complexity
paypal CWE-79
6.1
2022-03-16 CVE-2021-23648 Cross-site Scripting vulnerability in multiple products
The package @braintree/sanitize-url before 6.0.0 are vulnerable to Cross-site Scripting (XSS) due to improper sanitization in sanitizeUrl function.
network
low complexity
paypal fedoraproject CWE-79
6.1
2019-07-10 CVE-2017-6217 Cross-site Scripting vulnerability in Paypal Adaptive Payments SDK 3.9.2
paypal/adaptivepayments-sdk-php v3.9.2 is vulnerable to a reflected XSS in the SetPaymentOptions.php resulting code execution
network
paypal CWE-79
4.3
2018-04-27 CVE-2013-7202 Permissions, Privileges, and Access Controls vulnerability in Paypal
The WebHybridClient class in PayPal 5.3 and earlier for Android allows remote attackers to execute arbitrary JavaScript on the system.
network
paypal CWE-264
6.8
2018-04-27 CVE-2013-7201 Improper Certificate Validation vulnerability in Paypal
WebHybridClient.java in PayPal 5.3 and earlier for Android ignores SSL errors, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information.
network
paypal CWE-295
5.8
2017-02-24 CVE-2017-6099 Cross-site Scripting vulnerability in Paypal Merchant-Sdk-PHP 3.9.1
Cross-site scripting (XSS) vulnerability in GetAuthDetails.html.php in PayPal PHP Merchant SDK (aka merchant-sdk-php) 3.9.1 allows remote attackers to inject arbitrary web script or HTML via the token parameter.
network
paypal CWE-79
4.3
2012-11-06 CVE-2011-5237 Improper Input Validation vulnerability in Paypal WPS Toolkit
PayPal WPS ToolKit does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
network
paypal CWE-20
5.8
2012-11-04 CVE-2012-5806 Improper Input Validation vulnerability in multiple products
The PayPal Payments Pro module in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to use of the PHP fsockopen function, a different vulnerability than CVE-2012-5805.
5.8
2012-11-04 CVE-2012-5805 Improper Input Validation vulnerability in multiple products
The PayPal IPN functionality in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, a different vulnerability than CVE-2012-5806.
5.8
2012-11-04 CVE-2012-5802 Improper Input Validation vulnerability in multiple products
The PayPal module in Ubercart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
5.8