CVE-2012-2991

2012-09-1919:55:05

[email protected]

web.nvd.nist.gov

security

vulnerability

cve-2012-2991

oscommerce

paypal

remote attack

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

6.7 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

59.8%

JSON

The PayPal (aka MODULE_PAYMENT_PAYPAL_STANDARD) module before 1.1 in osCommerce Online Merchant before 2.3.4 allows remote attackers to set the payment recipient via a modified value of the merchant’s e-mail address, as demonstrated by setting the recipient to one’s self.

Affected configurations

NVD

Node

oscommerceonline_merchantRange≤2.3.3

oscommerceonline_merchantMatch2.3.0

oscommerceonline_merchantMatch2.3.1

oscommerceonline_merchantMatch2.3.2

paypalwebsite_payments_standard_moduleRange≤1.0

CPENameOperatorVersion
oscommerce:online_merchantoscommerce online merchantle2.3.3
oscommerce:online_merchantoscommerce online merchanteq2.3.0
oscommerce:online_merchantoscommerce online merchanteq2.3.1
oscommerce:online_merchantoscommerce online merchanteq2.3.2
paypal:website_payments_standard_modulepaypal website payments standard modulele1.0

CPE	Name	Operator	Version
oscommerce:online_merchant	oscommerce online merchant	le	2.3.3
oscommerce:online_merchant	oscommerce online merchant	eq	2.3.0
oscommerce:online_merchant	oscommerce online merchant	eq	2.3.1
oscommerce:online_merchant	oscommerce online merchant	eq	2.3.2
paypal:website_payments_standard_module	paypal website payments standard module	le	1.0