PatchSiren cyber security CVE debrief
CVE-2017-6099 Paypal CVE debrief
CVE-2017-6099 is a cross-site scripting issue in PayPal's merchant-sdk-php 3.9.1. The vulnerable behavior is described in GetAuthDetails.html.php, where the token parameter can be used to inject arbitrary web script or HTML. NVD classifies the weakness as CWE-79 and rates the issue CVSS 3.0 6.1 (network exploitable, user interaction required, scope changed).
- Vendor
- Paypal
- Product
- CVE-2017-6099
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-24
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-24
- Advisory updated
- 2026-05-13
Who should care
Teams running PayPal merchant-sdk-php 3.9.1, especially applications that render or reflect token values in browser-facing flows. Web application owners, library maintainers, and security teams reviewing client-side injection risk should prioritize it.
Technical summary
According to the NVD record, CVE-2017-6099 affects the cpe:cpe:2.3:a:paypal:merchant-sdk-php:3.9.1 product and maps to CWE-79. The issue is a reflected/script-injection style XSS in GetAuthDetails.html.php through the token parameter. The published CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating remote reachability with no privileges required but with user interaction.
Defensive priority
Medium. The vulnerability is remotely reachable and can affect confidentiality and integrity, but it requires user interaction and does not directly impact availability. Prioritize if the library is internet-facing or handles untrusted token data in browser responses.
Recommended defensive actions
- Identify deployments using PayPal merchant-sdk-php 3.9.1 and treat them as potentially affected.
- Inspect any code paths that pass the token parameter into HTML responses and apply context-appropriate output encoding.
- Validate and sanitize untrusted input before it is rendered back to users.
- Reduce exposure by limiting access to affected pages or flows until the vulnerable component is replaced or updated.
- Review related application pages for similar reflected XSS patterns in SDK integrations.
Evidence notes
The CVE description states that GetAuthDetails.html.php in PayPal PHP Merchant SDK (merchant-sdk-php) 3.9.1 allows remote attackers to inject arbitrary web script or HTML via the token parameter. The NVD metadata marks version 3.9.1 as vulnerable, lists CWE-79, and provides the CVSS v3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. References include a SecurityFocus BID entry and a GitHub issue in the merchant-sdk-php repository, both tagged as third-party advisory material.
Official resources
-
CVE-2017-6099 CVE record
CVE.org
-
CVE-2017-6099 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
First published in the official CVE/NVD record on 2017-02-24 and modified in the source record on 2026-05-13. The supplied references point to a SecurityFocus BID entry and a GitHub issue in the PayPal merchant-sdk-php repository.