CVE-2024-41670

{"id": "CVE-2024-41670", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-07-26T15:15:11.053", "references": [{"url": "https://github.com/202ecommerce/paypal/security/advisories/GHSA-w3w3-j3mh-3354", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "In the module \"PayPal Official\" for PrestaShop 7+ releases prior to version 6.4.2 and for PrestaShop 1.6 releases prior to version 3.18.1, a malicious customer can confirm an order even if payment is finally declined by PayPal. A logical weakness during the capture of a payment in case of disabled webhooks can be exploited to create an accepted order. This could allow a threat actor to confirm an order with a fraudulent payment support. Versions 6.4.2 and 3.18.1 contain a patch for the issue. Additionally, users enable webhooks and check they are callable."}, {"lang": "es", "value": " En el m\u00f3dulo \"PayPal Official\" para las versiones PrestaShop 7+ anteriores a la versi\u00f3n 6.4.2 y para las versiones PrestaShop 1.6 anteriores a la versi\u00f3n 3.18.1, un cliente malintencionado puede confirmar un pedido incluso si PayPal finalmente rechaza el pago. Una debilidad l\u00f3gica durante la captura de un pago en caso de webhooks deshabilitados se puede aprovechar para crear un pedido aceptado. Esto podr\u00eda permitir que un actor de amenazas confirme un pedido con un soporte de pago fraudulento. Las versiones 6.4.2 y 3.18.1 contienen un parche para el problema. Adem\u00e1s, los usuarios habilitan webhooks y verifican que se puedan llamar."}], "lastModified": "2024-07-29T14:12:08.783", "sourceIdentifier": "security-advisories@github.com"}