Advisories for Composer/Paypal/Merchant-Sdk-Php package

Remote attackers can inject arbitrary web script or HTML via the token parameter.