CVE-2014-10067

Name of the Vulnerable Software and Affected Versions paypal-ipn versions 2.x.x and earlier paypal-ipn versions prior to 3.0.0

Description The issue concerns a validation bypass vulnerability. paypal-ipn uses the test ipn parameter, set by the PayPal IPN simulator, to determine whether to use the production PayPal site or the sandbox. An attacker could craft a request using the simulator to fool an application into entering sandbox mode, potentially allowing purchases without valid payment.

Recommendations For versions 2.x.x and earlier, upgrade to version 3.0.0 or later. As a temporary workaround, consider explicitly checking for the test ipn parameter in production to prevent validation bypass.