CVE-2021-41120: 
PHP vulnerability analysis and mitigation

sylius/paypal-plugin is a PayPal plugin for the Sylius development platform that contained a security vulnerability (CVE-2021-41120) discovered and disclosed on October 5, 2021. The vulnerability affected versions >= 1.0.0, >= 1.1.0, >= 1.2.0 < 1.2.3, and 1.3.0 of the plugin (GitHub Advisory).

The vulnerability existed because the payment page URL was created with an autoincremented payment ID (/pay-with-paypal/{id}), making it accessible to anyone, not just the order's customer. The credit card form had a prefilled 'credit card holder' field containing the customer's first and last name. Additionally, the form did not require 3D Secure authentication and did not verify the result of 3D Secure authentication when implemented (GitHub Advisory).

This vulnerability could allow unauthorized users to access payment pages and view customers' personal information (first and last names). The lack of proper 3D Secure authentication implementation also increased the risk of unauthorized payment processing (GitHub Advisory).

The vulnerability was patched in versions 1.2.4 and 1.3.1 of the Sylius/PayPalPlugin. As a workaround, users could override the syliuspaypalpluginpaywithpaypalform route to change URL parameters to include orderToken and paymentId, override the PayWithPayPalFormAction service, and modify the payment repository method. Additionally, the payWithPaypal.html.twig template could be overridden to add proper 3D Secure authentication handling (GitHub Advisory).