Home / vulnerabilities PayPal Cross Site Scripting
Posted on 04 January 2011
Source : packetstormsecurity.org Link
--------------------------------------------------------------------------------
1. Summary:
PayPal's send money feature is affected by an XSS (cross-site scripting)
vulnerability.
--------------------------------------------------------------------------------
2. Description:
When sending money via PayPal, the sender has an option to input a message
along with the money being sent. A malicious attacker can inject XSS code
into this message box because it fails to validate input. When the victim
goes to view the transaction page the injected code will execute.
--------------------------------------------------------------------------------
3. Impact:
Potentially allow an attacker access to a victim’s PayPal account.
--------------------------------------------------------------------------------
4. Affected Products:
www.paypal.com
--------------------------------------------------------------------------------
5. Solution: None
--------------------------------------------------------------------------------
6. Time Table:
12/06/2010 Reported Vulnerability to the Vendor
12/07/2010 Vendor Acknowledge Vulnerability
--------------------------------------------------------------------------------
7. Credits:
Discovered by Nathan Power
www.securitypentest.com
--------------------------------------------------------------------------------
