Zales0123

**Name of the Vulnerable Software and Affected Versions** Sylius/PayPalPlugin versions prior to 1.2.4 Sylius/PayPalPlugin versions prior to 1.3.1 **Description** The URL to the payment page done after checkout was created with an autoincremented payment id (`/pay-with-paypal/{id}`) and therefore it was easy to predict. The problem is that the Credit card form has a prefilled "credit card holder" field with the Customer's first and last name, which can lead to personally identifiable information exposure. Additionally, the mentioned form did not require authentication. **Recommendations** For versions prior to 1.2.4, update to version 1.2.4 or later. For versions prior to 1.3.1, update to version 1.3.1 or later. As a temporary workaround, consider overriding the `sylius paypal plugin pay with paypal form` route and change its URL parameters to (for example) `{orderToken}/{paymentId}`, then override the `SyliusPayPalPluginControllerPayWithPayPalFormAction` service, to operate on the payment taken from the repository by these 2 values. It would also require usage of a custom repository method. Additionally, one could override the `@SyliusPayPalPlugin/payWithPaypal.html.twig` template, to add `contingencies: ['SCA ALWAYS']` line in `hostedFields.submit(...)` function call (line 421). It would then have to be handled in the function callback.