PayPal Official Module Security Advisory: CVE-2024-41670

The “PayPal Official” module for PrestaShop has a critical vulnerability (CVE-2024-41670) that allows malicious users to confirm orders as "payment accepted" even when the payment is declined by PayPal.

Summary

• CVE ID: CVE-2024-41670
• Affected Versions: PrestaShop 1.7 ≤ 6.4.1 and 1.6 ≤ 3.18.0
• Fixed Versions: 6.4.2 and 3.18.1
• Severity: Medium (6.5)

Recommended Actions

Upgrade to PayPal version 6.4.2 or 3.18.1. Enable and verify webhooks to prevent exploitation.

Impact

This vulnerability could allow fraudsters to manipulate payment confirmations, posing risks to merchants using affected versions.

Timeline

• 2024-07-15: Issue discovered
• 2024-07-17: Reported to PayPal
• 2024-07-22: Weakness confirmed
• 2024-07-25: Advisory published

For more information, visit the Friends of Presta Security Advisory.