CVE-2023-23941: 
PHP vulnerability analysis and mitigation

SwagPayPal, a PayPal integration for shopware/platform, was found to contain a vulnerability (CVE-2023-23941) where JavaScript-based PayPal checkout methods could result in payment information discrepancies. The vulnerability affects versions prior to 5.4.4 and was disclosed on February 2, 2023. The affected payment methods include PayPal Plus, Smart Payment Buttons, SEPA, Pay Later, Venmo, and Credit card features (GitHub Advisory).

The vulnerability allows for a mismatch between the amount and item list sent to PayPal and the actual created order when using JavaScript-based PayPal checkout methods. The issue has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

The primary impact of this vulnerability is on payment integrity, where the payment information transmitted to PayPal may not match the actual order details in the system. This discrepancy could potentially lead to financial inconsistencies and transaction integrity issues (GitHub Advisory).

The vulnerability has been patched in version 5.4.4 of SwagPayPal. For users unable to update immediately, two workarounds are available: either disable the affected JavaScript-based payment methods or use the Security Plugin version 1.0.21 or higher (GitHub Advisory, GitHub Commit).