Description
paypal-ipn before 3.0.0 uses the `test_ipn` parameter (which is set by the PayPal IPN simulator) to determine if it should use the production PayPal site or the sandbox. With a bit of time, an attacker could craft a request using the simulator that would fool any application which does not explicitly check for test_ipn in production.
Remediation
References
https://nodesecurity.io/advisories/26
https://github.com/andzdroid/paypal-ipn/issues/11
Related Vulnerabilities
CVE-2018-16460 Vulnerability in npm package ps
CVE-2022-41254 Vulnerability in maven package org.jenkins-ci.plugins:cons3rt
CVE-2017-16006 Vulnerability in npm package remarkable
CVE-2016-15026 Vulnerability in maven package com.googlecode.plist:dd-plist
CVE-2016-10750 Vulnerability in maven package com.hazelcast:hazelcast-spring