Login Sign Up

CVE-2023-23941

7.5 HIGH

📋 TL;DR

This CVE describes an integrity vulnerability in SwagPayPal's JavaScript-based PayPal checkout methods where the payment amount and item list sent to PayPal may not match the actual order created in Shopware. This could allow attackers to manipulate payment amounts or items during checkout. Affected users are Shopware e-commerce sites using SwagPayPal with PayPal Plus, Smart Payment Buttons, SEPA, Pay Later, Venmo, or Credit Card payment methods.

💻 Affected Systems

Products:
  • SwagPayPal (Shopware PayPal integration)
Versions: Versions before 5.4.4
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects JavaScript-based PayPal checkout methods: PayPal Plus, Smart Payment Buttons, SEPA, Pay Later, Venmo, and Credit Card.

📦 What is this software?

Swagpaypal by Shopware

View all CVEs affecting Swagpaypal →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could pay significantly less than the actual order total or receive items they didn't pay for, leading to financial loss for merchants and potential inventory discrepancies.

🟠

Likely Case

Minor payment discrepancies where attackers exploit the mismatch to pay slightly less than the actual order amount.

🟢

If Mitigated

No impact if proper controls like payment verification and order reconciliation are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction during checkout but no authentication to the Shopware backend.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.4.4

Vendor Advisory: https://github.com/shopware/SwagPayPal/security/advisories/GHSA-vxpm-8hcp-qh27

Restart Required: No

Instructions:

1. Update SwagPayPal to version 5.4.4 or later via Shopware's extension manager or Composer. 2. Clear Shopware cache. 3. Test PayPal checkout functionality.

🔧 Temporary Workarounds

Disable vulnerable payment methods

all

Temporarily disable the affected JavaScript-based PayPal payment methods in Shopware admin.

Install Security Plugin

all

Install and enable Shopware Security Plugin version 1.0.21 or later.

🧯 If You Can't Patch

  • Disable all JavaScript-based PayPal payment methods immediately.
  • Implement manual order verification and reconciliation processes for PayPal transactions.

🔍 How to Verify

Check if Vulnerable:

Check SwagPayPal version in Shopware admin under Extensions > My extensions, or run: composer show shopware/swag-paypal

Check Version:

composer show shopware/swag-paypal | grep versions

Verify Fix Applied:

Confirm SwagPayPal version is 5.4.4 or later and test PayPal checkout with order amount validation.

📡 Detection & Monitoring

Log Indicators:

  • Discrepancies between PayPal transaction amounts and Shopware order amounts in payment logs.
  • Multiple failed payment validations for PayPal transactions.

Network Indicators:

  • Unusual patterns in PayPal API call amounts versus order values.

SIEM Query:

source="shopware_logs" AND ("PayPal" AND "amount mismatch" OR "validation failed")

📊 Metadata

CVE ID: CVE-2023-23941
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-345
Published: February 3, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-23941, you might also want to check these:

CVE-2022-30315 9.8

Honeywell Experion PKS Safety Manager controllers lack cryptographic authentication for control logi...

Same vulnerability type (CWE-345)
CVE-2025-66255 9.8

This vulnerability allows unauthenticated attackers to upload malicious firmware files to Mozart FM ...

Same vulnerability type (CWE-345)
CVE-2022-26871 9.8

CVE-2022-26871 is a critical arbitrary file upload vulnerability in Trend Micro Apex Central that al...

Same vulnerability type (CWE-345)