BankInfoSecurity
May 5, 2021
Compliance
Compliance Twitter Get Permission
PayPal has patched a cross-site scripting - or XSS - vulnerability in its currency conversion endpoint that, if exploited, could enable malicious JavaScript injection.
The PayPal vulnerability was discovered in February 2020 by a security researcher who goes by the name Cr33pb0y, who was paid $2,900 as part of HackerOne s bug bounty program.
Responding in the HackerOne forum, PayPal notes the vulnerability resulted in its currency conversion URL improperly handling user input. An attacker exploiting the vulnerability could perform JavaScript injection or add other malicious code to the URL to access the document object model on the victim s browser. By loading a malicious payload into a victim s browser, hackers could steal data or take control of a device.