cvelistv5 - CVE-2025-30152

CVE-2025-30152 (GCVE-0-2025-30152)

Vulnerability from cvelistv5

Published

2025-03-19 15:57

Modified

2025-03-19 18:26

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CWE

CWE-472 - External Control of Assumed-Immutable Web Parameter

Summary

The Syliud PayPal Plugin is the Sylius Core Team’s plugin for the PayPal Commerce Platform. Prior to 1.6.2, 1.7.2, and 2.0.2, a discovered vulnerability allows users to modify their shopping cart after completing the PayPal Checkout process and payment authorization. If a user initiates a PayPal transaction from a product page or the cart page and then returns to the order summary page, they can still manipulate the cart contents before finalizing the order. As a result, the order amount in Sylius may be higher than the amount actually captured by PayPal, leading to a scenario where merchants deliver products or services without full payment. The issue is fixed in versions: 1.6.2, 1.7.2, 2.0.2 and above.

References

URL

Tags

	security-advisories@github.com	https://github.com/Sylius/PayPalPlugin/commit/5613df827a6d4fc50862229295976200a68e97aa
	security-advisories@github.com	https://github.com/Sylius/PayPalPlugin/security/advisories/GHSA-hxg4-65p5-9w37

Impacted products

	Vendor	Product	Version
	Sylius	PayPalPlugin	Version: < 1.6.2 Version: >= 1.7.0, < 1.7.2 Version: >= 2.0.0, < 2.0.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-30152",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-19T18:26:26.455424Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-19T18:26:39.691Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "PayPalPlugin",
          "vendor": "Sylius",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.6.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.7.0, \u003c 1.7.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.0.0, \u003c 2.0.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Syliud PayPal Plugin is the Sylius Core Team\u2019s plugin for the PayPal Commerce Platform. Prior to 1.6.2, 1.7.2, and 2.0.2, a discovered vulnerability allows users to modify their shopping cart after completing the PayPal Checkout process and payment authorization. If a user initiates a PayPal transaction from a product page or the cart page and then returns to the order summary page, they can still manipulate the cart contents before finalizing the order. As a result, the order amount in Sylius may be higher than the amount actually captured by PayPal, leading to a scenario where merchants deliver products or services without full payment. The issue is fixed in versions: 1.6.2, 1.7.2, 2.0.2 and above."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-472",
              "description": "CWE-472: External Control of Assumed-Immutable Web Parameter",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-19T15:57:32.445Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Sylius/PayPalPlugin/security/advisories/GHSA-hxg4-65p5-9w37",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Sylius/PayPalPlugin/security/advisories/GHSA-hxg4-65p5-9w37"
        },
        {
          "name": "https://github.com/Sylius/PayPalPlugin/commit/5613df827a6d4fc50862229295976200a68e97aa",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Sylius/PayPalPlugin/commit/5613df827a6d4fc50862229295976200a68e97aa"
        }
      ],
      "source": {
        "advisory": "GHSA-hxg4-65p5-9w37",
        "discovery": "UNKNOWN"
      },
      "title": "Sylius PayPal Plugin has an Order Manipulation Vulnerability after PayPal Checkout"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-30152",
    "datePublished": "2025-03-19T15:57:32.445Z",
    "dateReserved": "2025-03-17T12:41:42.565Z",
    "dateUpdated": "2025-03-19T18:26:39.691Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-30152\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-03-19T16:15:33.313\",\"lastModified\":\"2025-03-19T16:15:33.313\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Syliud PayPal Plugin is the Sylius Core Team\u2019s plugin for the PayPal Commerce Platform. Prior to 1.6.2, 1.7.2, and 2.0.2, a discovered vulnerability allows users to modify their shopping cart after completing the PayPal Checkout process and payment authorization. If a user initiates a PayPal transaction from a product page or the cart page and then returns to the order summary page, they can still manipulate the cart contents before finalizing the order. As a result, the order amount in Sylius may be higher than the amount actually captured by PayPal, leading to a scenario where merchants deliver products or services without full payment. The issue is fixed in versions: 1.6.2, 1.7.2, 2.0.2 and above.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-472\"}]}],\"references\":[{\"url\":\"https://github.com/Sylius/PayPalPlugin/commit/5613df827a6d4fc50862229295976200a68e97aa\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/Sylius/PayPalPlugin/security/advisories/GHSA-hxg4-65p5-9w37\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-30152\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-19T18:26:26.455424Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-19T18:26:35.268Z\"}}], \"cna\": {\"title\": \"Sylius PayPal Plugin has an Order Manipulation Vulnerability after PayPal Checkout\", \"source\": {\"advisory\": \"GHSA-hxg4-65p5-9w37\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"Sylius\", \"product\": \"PayPalPlugin\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.6.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.7.0, \u003c 1.7.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.0.0, \u003c 2.0.2\"}]}], \"references\": [{\"url\": \"https://github.com/Sylius/PayPalPlugin/security/advisories/GHSA-hxg4-65p5-9w37\", \"name\": \"https://github.com/Sylius/PayPalPlugin/security/advisories/GHSA-hxg4-65p5-9w37\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/Sylius/PayPalPlugin/commit/5613df827a6d4fc50862229295976200a68e97aa\", \"name\": \"https://github.com/Sylius/PayPalPlugin/commit/5613df827a6d4fc50862229295976200a68e97aa\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Syliud PayPal Plugin is the Sylius Core Team\\u2019s plugin for the PayPal Commerce Platform. Prior to 1.6.2, 1.7.2, and 2.0.2, a discovered vulnerability allows users to modify their shopping cart after completing the PayPal Checkout process and payment authorization. If a user initiates a PayPal transaction from a product page or the cart page and then returns to the order summary page, they can still manipulate the cart contents before finalizing the order. As a result, the order amount in Sylius may be higher than the amount actually captured by PayPal, leading to a scenario where merchants deliver products or services without full payment. The issue is fixed in versions: 1.6.2, 1.7.2, 2.0.2 and above.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-472\", \"description\": \"CWE-472: External Control of Assumed-Immutable Web Parameter\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-03-19T15:57:32.445Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-30152\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-19T18:26:39.691Z\", \"dateReserved\": \"2025-03-17T12:41:42.565Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-03-19T15:57:32.445Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

ghsa-hxg4-65p5-9w37

Vulnerability from github

Published

2025-03-19 16:46

Modified

2025-03-20 18:59

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Summary

Sylius PayPal Plugin has an Order Manipulation Vulnerability after PayPal Checkout

Details

A discovered vulnerability allows users to modify their shopping cart after completing the PayPal Checkout process and payment authorization. If a user initiates a PayPal transaction from a product page or the cart page and then returns to the order summary page, they can still manipulate the cart contents before finalizing the order. As a result, the order amount in Sylius may be higher than the amount actually captured by PayPal, leading to a scenario where merchants deliver products or services without full payment.

Impact

Users can exploit this flaw to receive products/services without paying the full amount.
Merchants may suffer financial losses due to underpaid orders.
Trust in the integrity of the payment process is compromised.

Patches

The issue is fixed in versions: 1.6.2, 1.7.2, 2.0.2 and above.

Workarounds

To resolve the problem in the end application without updating to the newest patches, there is a need to overwrite PayPalOrderCompleteProcessor with modified logic:

```php

getLastPayment(PaymentInterface::STATE_PROCESSING); if ($payment === null) { return; } /** @var PaymentMethodInterface $paymentMethod */ $paymentMethod = $payment->getMethod(); /** @var GatewayConfigInterface $gatewayConfig */ $gatewayConfig = $paymentMethod->getGatewayConfig(); if ($gatewayConfig->getFactoryName() !== 'sylius.pay_pal') { return; } try { $this->verify($payment); } catch (\Exception) { $this->paymentStateManager->cancel($payment); return; } $this->paymentStateManager->complete($payment); } private function verify(PaymentInterface $payment): void { $totalAmount = $this->getTotalPaymentAmountFromPaypal($payment); if ($payment->getOrder()->getTotal() !== $totalAmount) { throw new \Exception(); } } private function getTotalPaymentAmountFromPaypal(PaymentInterface $payment): int { $details = $payment->getDetails(); return $details['payment_amount'] ?? 0; } } ``` ### IMPORTANT For `PayPalPlugin 2.x` change: ```php $gatewayConfig->getFactoryName() !== 'sylius.pay_pal' ``` to ```php $gatewayConfig->getFactoryName() !== SyliusPayPalExtension::PAYPAL_FACTORY_NAME ``` Also there is a need to overwrite `CompletePayPalOrderListener` with modified logic: ```php getSubject(); Assert::isInstanceOf($order, OrderInterface::class); $this->completeProcessor->completePayPalOrder($order); } } ``` And to overwrite `CaptureAction` with modified logic (if you didn't have it already): ```php getModel(); /** @var PaymentMethodInterface $paymentMethod */ $paymentMethod = $payment->getMethod(); $token = $this->authorizeClientApi->authorize($paymentMethod); $referenceId = $this->uuidProvider->provide(); $content = $this->createOrderApi->create($token, $payment, $referenceId); if ($content['status'] === 'CREATED') { $payment->setDetails([ 'status' => StatusAction::STATUS_CAPTURED, 'paypal_order_id' => $content['id'], 'reference_id' => $referenceId, 'payment_amount' => $payment->getAmount(), ]); } } public function supports($request): bool { return $request instanceof Capture && $request->getModel() instanceof PaymentInterface ; } } ``` After that, register services in the container when using PayPal 1.x: ```yaml Sylius\PayPalPlugin\EventListener\Workflow\CompletePayPalOrderListener: class: App\EventListener\Workflow\CompletePayPalOrderListener public: true arguments: - '@Sylius\PayPalPlugin\Processor\PayPalOrderCompleteProcessor' tags: - { name: 'kernel.event_listener', event: 'workflow.sylius_order_checkout.completed.complete', priority: 100 } Sylius\PayPalPlugin\Processor\PayPalOrderCompleteProcessor: class: App\Processor\PayPalOrderCompleteProcessor public: true arguments: - '@Sylius\PayPalPlugin\Manager\PaymentStateManagerInterface' Sylius\PayPalPlugin\Payum\Action\CaptureAction: class: App\Payum\Action\CaptureAction public: true arguments: - '@Sylius\PayPalPlugin\Api\CacheAuthorizeClientApiInterface' - '@Sylius\PayPalPlugin\Api\CreateOrderApiInterface' - '@Sylius\PayPalPlugin\Provider\UuidProviderInterface' tags: - { name: 'payum.action', factory: 'sylius.pay_pal', alias: 'payum.action.capture' } ``` or when using PayPal 2.x: ```yaml sylius_paypal.listener.workflow.complete_paypal_order: class: App\EventListener\Workflow\CompletePayPalOrderListener public: true arguments: - '@sylius_paypal.processor.paypal_order_complete' tags: - { name: 'kernel.event_listener', event: 'workflow.sylius_order_checkout.completed.complete', priority: 100 } sylius_paypal.processor.paypal_order_complete: class: App\Processor\PayPalOrderCompleteProcessor public: true arguments: - '@sylius_paypal.manager.payment_state' sylius_paypal.payum.action.capture: class: App\Payum\Action\CaptureAction public: true arguments: - '@sylius_paypal.api.cache_authorize_client' - '@sylius_paypal.api.create_order' - '@sylius_paypal.provider.uuid' tags: - { name: 'payum.action', factory: 'sylius.paypal', alias: 'payum.action.capture' } ``` ### For more information If you have any questions or comments about this advisory: * Open an issue in [Sylius issues](https://github.com/Sylius/Sylius/issues) * Email us at security@sylius.com ?>

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/paypal-plugin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/paypal-plugin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.7.0"
            },
            {
              "fixed": "1.7.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/paypal-plugin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-30152"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-472"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-19T16:46:30Z",
    "nvd_published_at": "2025-03-19T16:15:33Z",
    "severity": "MODERATE"
  },
  "details": "A discovered vulnerability allows users to modify their shopping cart after completing the PayPal Checkout process and payment authorization. If a user initiates a PayPal transaction from a product page or the cart page and then returns to the order summary page, they can still manipulate the cart contents before finalizing the order. As a result, the order amount in Sylius may be higher than the amount actually captured by PayPal, leading to a scenario where merchants deliver products or services without full payment.\n\n### Impact\n\n- Users can exploit this flaw to receive products/services without paying the full amount.\n- Merchants may suffer financial losses due to underpaid orders.\n- Trust in the integrity of the payment process is compromised.\n\n### Patches\n\nThe issue is fixed in versions: 1.6.2, 1.7.2, 2.0.2 and above.\n\n### Workarounds\n\nTo resolve the problem in the end application without updating to the newest patches, there is a need to overwrite `PayPalOrderCompleteProcessor` with modified logic:\n\n```php\n\u003c?php\n\ndeclare(strict_types=1);\n\nnamespace App\\Processor;\n\nuse Sylius\\Bundle\\PayumBundle\\Model\\GatewayConfigInterface;\nuse Sylius\\Component\\Core\\Model\\OrderInterface;\nuse Sylius\\Component\\Core\\Model\\PaymentInterface;\nuse Sylius\\Component\\Core\\Model\\PaymentMethodInterface;\nuse Sylius\\PayPalPlugin\\Manager\\PaymentStateManagerInterface;\n\nfinal class PayPalOrderCompleteProcessor\n{\n    public function __construct(private readonly PaymentStateManagerInterface $paymentStateManager) {\n    }\n\n    public function completePayPalOrder(OrderInterface $order): void\n    {\n        $payment = $order-\u003egetLastPayment(PaymentInterface::STATE_PROCESSING);\n        if ($payment === null) {\n            return;\n        }\n\n        /** @var PaymentMethodInterface $paymentMethod */\n        $paymentMethod = $payment-\u003egetMethod();\n        /** @var GatewayConfigInterface $gatewayConfig */\n        $gatewayConfig = $paymentMethod-\u003egetGatewayConfig();\n\n        if ($gatewayConfig-\u003egetFactoryName() !== \u0027sylius.pay_pal\u0027) {\n            return;\n        }\n\n        try {\n            $this-\u003everify($payment);\n        } catch (\\Exception) {\n            $this-\u003epaymentStateManager-\u003ecancel($payment);\n\n            return;\n        }\n\n        $this-\u003epaymentStateManager-\u003ecomplete($payment);\n    }\n\n    private function verify(PaymentInterface $payment): void\n    {\n        $totalAmount = $this-\u003egetTotalPaymentAmountFromPaypal($payment);\n\n        if ($payment-\u003egetOrder()-\u003egetTotal() !== $totalAmount) {\n            throw new \\Exception();\n        }\n    }\n\n    private function getTotalPaymentAmountFromPaypal(PaymentInterface $payment): int\n    {\n        $details = $payment-\u003egetDetails();\n\n        return $details[\u0027payment_amount\u0027] ?? 0;\n    }\n}\n```\n\n### IMPORTANT\n\nFor `PayPalPlugin 2.x` change:\n```php\n$gatewayConfig-\u003egetFactoryName() !== \u0027sylius.pay_pal\u0027\n```\nto\n```php\n$gatewayConfig-\u003egetFactoryName() !== SyliusPayPalExtension::PAYPAL_FACTORY_NAME\n```\n\nAlso there is a need to overwrite `CompletePayPalOrderListener` with modified logic:\n\n```php\n\u003c?php\n\ndeclare(strict_types=1);\n\nnamespace App\\EventListener\\Workflow;\n\nuse App\\Processor\\PayPalOrderCompleteProcessor;\nuse Sylius\\Component\\Core\\Model\\OrderInterface;\nuse Symfony\\Component\\Workflow\\Event\\CompletedEvent;\nuse Webmozart\\Assert\\Assert;\n\nfinal class CompletePayPalOrderListener\n{\n    public function __construct(private readonly PayPalOrderCompleteProcessor $completeProcessor)\n    {\n    }\n\n    public function __invoke(CompletedEvent $event): void\n    {\n        /** @var OrderInterface $order */\n        $order = $event-\u003egetSubject();\n        Assert::isInstanceOf($order, OrderInterface::class);\n\n        $this-\u003ecompleteProcessor-\u003ecompletePayPalOrder($order);\n    }\n}\n\n```\n\nAnd to overwrite `CaptureAction` with modified logic (if you didn\u0027t have it already):\n\n```php\n\u003c?php\n\ndeclare(strict_types=1);\n\nnamespace App\\Payum\\Action;\n\nuse Payum\\Core\\Action\\ActionInterface;\nuse Payum\\Core\\Exception\\RequestNotSupportedException;\nuse Payum\\Core\\Request\\Capture;\nuse Sylius\\Component\\Core\\Model\\PaymentInterface;\nuse Sylius\\Component\\Core\\Model\\PaymentMethodInterface;\nuse Sylius\\PayPalPlugin\\Api\\CacheAuthorizeClientApiInterface;\nuse Sylius\\PayPalPlugin\\Api\\CreateOrderApiInterface;\nuse Sylius\\PayPalPlugin\\Payum\\Action\\StatusAction;\nuse Sylius\\PayPalPlugin\\Provider\\UuidProviderInterface;\n\nfinal class CaptureAction implements ActionInterface\n{\n    public function __construct(\n        private CacheAuthorizeClientApiInterface $authorizeClientApi,\n        private CreateOrderApiInterface $createOrderApi,\n        private UuidProviderInterface $uuidProvider,\n    ) {\n    }\n\n    /** @param Capture $request */\n    public function execute($request): void\n    {\n        RequestNotSupportedException::assertSupports($this, $request);\n\n        /** @var PaymentInterface $payment */\n        $payment = $request-\u003egetModel();\n        /** @var PaymentMethodInterface $paymentMethod */\n        $paymentMethod = $payment-\u003egetMethod();\n\n        $token = $this-\u003eauthorizeClientApi-\u003eauthorize($paymentMethod);\n\n        $referenceId = $this-\u003euuidProvider-\u003eprovide();\n        $content = $this-\u003ecreateOrderApi-\u003ecreate($token, $payment, $referenceId);\n\n        if ($content[\u0027status\u0027] === \u0027CREATED\u0027) {\n            $payment-\u003esetDetails([\n                \u0027status\u0027 =\u003e StatusAction::STATUS_CAPTURED,\n                \u0027paypal_order_id\u0027 =\u003e $content[\u0027id\u0027],\n                \u0027reference_id\u0027 =\u003e $referenceId,\n                \u0027payment_amount\u0027 =\u003e $payment-\u003egetAmount(),\n            ]);\n        }\n    }\n\n    public function supports($request): bool\n    {\n        return\n            $request instanceof Capture \u0026\u0026\n            $request-\u003egetModel() instanceof PaymentInterface\n        ;\n    }\n}\n```\n\nAfter that, register services in the container when using PayPal 1.x:\n\n```yaml\nSylius\\PayPalPlugin\\EventListener\\Workflow\\CompletePayPalOrderListener:\n    class: App\\EventListener\\Workflow\\CompletePayPalOrderListener\n    public: true\n    arguments:\n        - \u0027@Sylius\\PayPalPlugin\\Processor\\PayPalOrderCompleteProcessor\u0027\n    tags: \n        - { name: \u0027kernel.event_listener\u0027, event: \u0027workflow.sylius_order_checkout.completed.complete\u0027, priority: 100 }\n    \nSylius\\PayPalPlugin\\Processor\\PayPalOrderCompleteProcessor:\n    class: App\\Processor\\PayPalOrderCompleteProcessor\n    public: true\n    arguments:\n        - \u0027@Sylius\\PayPalPlugin\\Manager\\PaymentStateManagerInterface\u0027\n\nSylius\\PayPalPlugin\\Payum\\Action\\CaptureAction:\n    class: App\\Payum\\Action\\CaptureAction\n    public: true\n    arguments:\n        - \u0027@Sylius\\PayPalPlugin\\Api\\CacheAuthorizeClientApiInterface\u0027\n        - \u0027@Sylius\\PayPalPlugin\\Api\\CreateOrderApiInterface\u0027\n        - \u0027@Sylius\\PayPalPlugin\\Provider\\UuidProviderInterface\u0027\n    tags:\n        - { name: \u0027payum.action\u0027, factory: \u0027sylius.pay_pal\u0027, alias: \u0027payum.action.capture\u0027 }\n```\n\nor when using PayPal 2.x:\n\n```yaml\nsylius_paypal.listener.workflow.complete_paypal_order:\n    class: App\\EventListener\\Workflow\\CompletePayPalOrderListener\n    public: true\n    arguments:\n        - \u0027@sylius_paypal.processor.paypal_order_complete\u0027\n    tags: \n        - { name: \u0027kernel.event_listener\u0027, event: \u0027workflow.sylius_order_checkout.completed.complete\u0027, priority: 100 }\n    \nsylius_paypal.processor.paypal_order_complete:\n    class: App\\Processor\\PayPalOrderCompleteProcessor\n    public: true\n    arguments:\n        - \u0027@sylius_paypal.manager.payment_state\u0027\n\nsylius_paypal.payum.action.capture:\n    class: App\\Payum\\Action\\CaptureAction\n    public: true\n    arguments:\n        - \u0027@sylius_paypal.api.cache_authorize_client\u0027\n        - \u0027@sylius_paypal.api.create_order\u0027\n        - \u0027@sylius_paypal.provider.uuid\u0027\n    tags:\n        - { name: \u0027payum.action\u0027, factory: \u0027sylius.paypal\u0027, alias: \u0027payum.action.capture\u0027 }\n```\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Sylius issues](https://github.com/Sylius/Sylius/issues)\n* Email us at security@sylius.com",
  "id": "GHSA-hxg4-65p5-9w37",
  "modified": "2025-03-20T18:59:42Z",
  "published": "2025-03-19T16:46:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Sylius/PayPalPlugin/security/advisories/GHSA-hxg4-65p5-9w37"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30152"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Sylius/PayPalPlugin/commit/5613df827a6d4fc50862229295976200a68e97aa"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Sylius/PayPalPlugin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Sylius PayPal Plugin has an Order Manipulation Vulnerability after PayPal Checkout"
}

fkie_cve-2025-30152

Vulnerability from fkie_nvd

Published

2025-03-19 16:15

Modified

2025-03-19 16:15

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/Sylius/PayPalPlugin/commit/5613df827a6d4fc50862229295976200a68e97aa
	security-advisories@github.com	https://github.com/Sylius/PayPalPlugin/security/advisories/GHSA-hxg4-65p5-9w37

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Syliud PayPal Plugin is the Sylius Core Team\u2019s plugin for the PayPal Commerce Platform. Prior to 1.6.2, 1.7.2, and 2.0.2, a discovered vulnerability allows users to modify their shopping cart after completing the PayPal Checkout process and payment authorization. If a user initiates a PayPal transaction from a product page or the cart page and then returns to the order summary page, they can still manipulate the cart contents before finalizing the order. As a result, the order amount in Sylius may be higher than the amount actually captured by PayPal, leading to a scenario where merchants deliver products or services without full payment. The issue is fixed in versions: 1.6.2, 1.7.2, 2.0.2 and above."
    },
    {
      "lang": "es",
      "value": "El Syliud PayPal es el complemento del equipo principal de Sylius para la plataforma PayPal Commerce. En versiones anteriores a las 1.6.2, 1.7.2 y 2.0.2, se descubri\u00f3 una vulnerabilidad que permit\u00eda a los usuarios modificar su carrito de compra tras completar el proceso de pago y la autorizaci\u00f3n del pago. Si un usuario inicia una transacci\u00f3n de PayPal desde la p\u00e1gina de un producto o del carrito y luego regresa a la p\u00e1gina de resumen del pedido, a\u00fan puede manipular el contenido del carrito antes de finalizarlo. Como resultado, el importe del pedido en Sylius puede ser superior al importe real capturado por PayPal, lo que provoca que los comerciantes entreguen productos o servicios sin el pago completo. El problema se ha solucionado en las versiones 1.6.2, 1.7.2, 2.0.2 y posteriores."
    }
  ],
  "id": "CVE-2025-30152",
  "lastModified": "2025-03-19T16:15:33.313",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-03-19T16:15:33.313",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/Sylius/PayPalPlugin/commit/5613df827a6d4fc50862229295976200a68e97aa"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/Sylius/PayPalPlugin/security/advisories/GHSA-hxg4-65p5-9w37"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-472"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-30152 (GCVE-0-2025-30152)

Vulnerability from cvelistv5

ghsa-hxg4-65p5-9w37

Vulnerability from github

Impact

Patches

Workarounds

fkie_cve-2025-30152

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature