216.73.217.172

CVE-2025-30152

· Published 19/03/2025 16:15 · Modified 19/03/2025 16:15

Labels: CVE-2025-30152 2025-03-19CVE-2025-30152CWE-472[email protected]

Essential information

Published
19/03/2025 16:15
Modified
19/03/2025 16:15
Author
Creator
CVSS
6.5 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CVSS metrics

Description

The Syliud PayPal Plugin is the Sylius Core Team’s plugin for the PayPal Commerce Platform. Prior to 1.6.2, 1.7.2, and 2.0.2, a discovered vulnerability allows users to modify their shopping cart after completing the PayPal Checkout process and payment authorization. If a user initiates a PayPal transaction from a product page or the cart page and then returns to the order summary page, they can still manipulate the cart contents before finalizing the order. As a result, the order amount in Sylius may be higher than the amount actually captured by PayPal, leading to a scenario where merchants deliver products or services without full payment. The issue is fixed in versions: 1.6.2, 1.7.2, 2.0.2 and above.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
sylius / sylius paypal plugin cpe:2.3:a:sylius:sylius_paypal_plugin:1.6.2:*:*:*:*:*:*:*
sylius / sylius paypal plugin cpe:2.3:a:sylius:sylius_paypal_plugin:1.7.2:*:*:*:*:*:*:*
sylius / sylius paypal plugin cpe:2.3:a:sylius:sylius_paypal_plugin:2.0.2:*:*:*:*:*:*:*

References