SCA: security update for sylius/paypal-plugin (GHSA-pqq3-q84h-pj6x)

medium Tenable Self-Hosted Container Security Plugin ID 421142

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- The Syliud PayPal Plugin is the Sylius Core Team’s plugin for the PayPal Commerce Platform. A
vulnerability in versions prior to 1.6.1, 1.7.1, and 2.0.1 allows users to manipulate the final payment
amount processed by PayPal. If a user modifies the item quantity in their shopping cart after initiating
the PayPal Express Checkout process, PayPal will not receive the updated total amount. As a result, PayPal
captures only the initially transmitted amount, while Sylius incorrectly considers the order fully paid
based on the modified total. This flaw can be exploited both accidentally and intentionally, potentially
enabling fraud by allowing customers to pay less than the actual order value. Attackers can intentionally
pay less than the actual total order amount, business owners may suffer financial losses due to underpaid
orders, and integrity of payment processing is compromised. The issue is fixed in versions 1.6.1, 1.7.1,
2.0.1, and above. To resolve the problem in the end application without updating to the newest patches,
there is a need to overwrite `ProcessPayPalOrderAction`, `CompletePayPalOrderFromPaymentPageAction`, and
`CaptureAction` with modified logic. (CVE-2025-29788)

See Also

https://github.com/advisories/GHSA-pqq3-q84h-pj6x

Plugin Details

Severity: Medium

ID: 421142

Version: Revision 1.17

Type: Local

Family: SCA Checks

Published: 3/18/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.92

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: CVE-2025-29788

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/17/2025

Vulnerability Publication Date: 3/17/2025

Reference Information

CVE: CVE-2025-29788

cwe: CWE-472