CVE-2021-41120

Name of the Vulnerable Software and Affected Versions Sylius/PayPalPlugin versions prior to 1.2.4 Sylius/PayPalPlugin versions prior to 1.3.1

Description The URL to the payment page done after checkout was created with an autoincremented payment id (/pay-with-paypal/{id}) and therefore it was easy to predict. The problem is that the Credit card form has a prefilled "credit card holder" field with the Customer's first and last name, which can lead to personally identifiable information exposure. Additionally, the mentioned form did not require authentication.

Recommendations For versions prior to 1.2.4, update to version 1.2.4 or later. For versions prior to 1.3.1, update to version 1.3.1 or later. As a temporary workaround, consider overriding the sylius paypal plugin pay with paypal form route and change its URL parameters to (for example) {orderToken}/{paymentId}, then override the SyliusPayPalPluginControllerPayWithPayPalFormAction service, to operate on the payment taken from the repository by these 2 values. It would also require usage of a custom repository method. Additionally, one could override the @SyliusPayPalPlugin/payWithPaypal.html.twig template, to add contingencies: ['SCA ALWAYS'] line in hostedFields.submit(...) function call (line 421). It would then have to be handled in the function callback.