Keeping your Sylius store secure is our top priority, and while security updates may not always be the most exciting news, they are absolutely essential. We work diligently to identify and address vulnerabilities, ensuring a safer experience for everyone in the Sylius ecosystem. We also strive to respond as quickly and efficiently as possible to any security issues reported by our community. Today, as part of this ongoing commitment, we’re rolling out important fixes for PayPalPlugin versions 1.6, 1.7, and 2.0. If you’re using this package, we encourage you to update and spread the word to help keep the entire community secure.
The original security advisory has been published on GitHub at Sylius/Sylius repository.
This issue exists in all PayPalPlugin versions before 1.6.1, 1.7.1, and 2.0.1.
A vulnerability allows users to manipulate the final payment amount processed by PayPal. If a user modifies the item quantity in their shopping cart after initiating the PayPal Checkout process, PayPal will not receive the updated total amount. As a result, PayPal captures only the initially transmitted amount, while Sylius incorrectly considers the order fully paid based on the modified total. This flaw can be exploited both accidentally and intentionally, potentially enabling fraud by allowing customers to pay less than the actual order value.
The issue is fixed in versions: 1.6.1, 1.7.1, 2.0.1, and above.
If an immediate upgrade is not possible, merchants should take the following actions to mitigate risk:
Keeping your store secure is crucial – please update your plugin and inform your peers in the Sylius community about this fix to ensure a safer environment for all.
