Vulnerabilities > Paypal > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-02-24 | CVE-2022-48345 | Cross-site Scripting vulnerability in Paypal Braintree/Sanitize-Url sanitize-url (aka @braintree/sanitize-url) before 6.0.2 allows XSS via HTML entities. | 6.1 |
| 2022-03-16 | CVE-2021-23648 | Cross-site Scripting vulnerability in multiple products The package @braintree/sanitize-url before 6.0.0 are vulnerable to Cross-site Scripting (XSS) due to improper sanitization in sanitizeUrl function. | 6.1 |
| 2019-07-10 | CVE-2017-6217 | Cross-site Scripting vulnerability in Paypal Adaptive Payments SDK 3.9.2 paypal/adaptivepayments-sdk-php v3.9.2 is vulnerable to a reflected XSS in the SetPaymentOptions.php resulting code execution | 4.3 |
| 2018-04-27 | CVE-2013-7202 | Permissions, Privileges, and Access Controls vulnerability in Paypal The WebHybridClient class in PayPal 5.3 and earlier for Android allows remote attackers to execute arbitrary JavaScript on the system. | 6.8 |
| 2018-04-27 | CVE-2013-7201 | Improper Certificate Validation vulnerability in Paypal WebHybridClient.java in PayPal 5.3 and earlier for Android ignores SSL errors, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information. | 5.8 |
| 2017-02-24 | CVE-2017-6099 | Cross-site Scripting vulnerability in Paypal Merchant-Sdk-PHP 3.9.1 Cross-site scripting (XSS) vulnerability in GetAuthDetails.html.php in PayPal PHP Merchant SDK (aka merchant-sdk-php) 3.9.1 allows remote attackers to inject arbitrary web script or HTML via the token parameter. | 4.3 |
| 2012-11-06 | CVE-2011-5237 | Improper Input Validation vulnerability in Paypal WPS Toolkit PayPal WPS ToolKit does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | 5.8 |
| 2012-11-04 | CVE-2012-5806 | Improper Input Validation vulnerability in multiple products The PayPal Payments Pro module in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to use of the PHP fsockopen function, a different vulnerability than CVE-2012-5805. | 5.8 |
| 2012-11-04 | CVE-2012-5805 | Improper Input Validation vulnerability in multiple products The PayPal IPN functionality in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, a different vulnerability than CVE-2012-5806. | 5.8 |
| 2012-11-04 | CVE-2012-5802 | Improper Input Validation vulnerability in multiple products The PayPal module in Ubercart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | 5.8 |