A Security Researcher from Vulnerability-Lab has discovered a persistent input validation vulnerability in the official Paypal ecommerce website content management system (Customer/Pro/Seller). The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent) of the paypal web service.
The vulnerability is located in the company profile input fields with the bound vulnerable address_id, details (mail) & companyname parameters.
The bug affects the important user profile listing, the address listings & security notification (mail). The persistent vulnerability is also located in the mail security notification (delete address) module with the bound vulnerable companyname parameters.
The vulnerability can be exploited by remote attackers with low required user inter action and privileged Customer/Pro/Seller account. Successful exploitation of the vulnerability can lead to session hijacking (customers), account steal via persistent web attack, persistent phishing or stable (persistent) context manipulation in all sections/module were the vulnerable companyname get displayed.
"Restrict the company name input value and parse with an exception handling or secure filter mask. Parse the companyname, addressid & details output of the security mail notification to prevent script code injects/executions." Vulnerability-Lab suggest as solution for this vulnerability.
Few months after Vulnerability-Lab discovered security flaw and notified paypal, Paypal's security team has fixed the bug.
The POC details for this vulnerability can be found here.