CVE-2014-10067

MEDIUM

paypal-ipn < 3.0.0 - Improper Authentication via test_ipn Parameter

Title source: llm
STIX 2.1

Description

paypal-ipn before 3.0.0 uses the `test_ipn` parameter (which is set by the PayPal IPN simulator) to determine if it should use the production PayPal site or the sandbox. With a bit of time, an attacker could craft a request using the simulator that would fool any application which does not explicitly check for test_ipn in production.

References (2)

Core 2
Core References
Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/andzdroid/paypal-ipn/issues/11
Third Party Advisory x_refsource_misc
https://nodesecurity.io/advisories/26

Scores

CVSS v3 5.9
EPSS 0.0117
EPSS Percentile 63.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-287
Status published
Products (2)
npm/paypal-ipn 0 - 3.0.0npm
paypal-ipn_project/paypal-ipn < 3.0.0
Published May 29, 2018
Tracked Since Feb 18, 2026