PayPal has fixed a cross-site scripting (XSS) vulnerability that can be converted into user wallets.
The vulnerability described as "reflected XSS and CSP bypass" issue was first discovered in HackerOne by an error hunter nicknamed "Cr33pb0y".
The error was detected in the ability to convert PayPal wallets into PayPal web domain.
In a report released Feb. 10 - almost a year after the researcher privately reported the issue - PayPal said the bug was in the currency conversion endpoint and caused from failure to properly control user input.
As a result, malicious payloads could be triggered in the Document Object Model (DOM) of a victim's browser page without their knowledge or consent.
Typically, reflected XSS attacks "reflect" scripts from a web source to a browser and may require a victim to do so. click in a malicious link for activation. Payloads can be used to steal cookies, session tokens or account information or will they could to used as a step in wider attacks.
Following the revelation of the vulnerability, PayPal has now implemented additional validation checks to check user input on the currency exchange feature and to eliminate This makes it a perfect choice for people with diabetes and for those who want to lose weight or follow a balanced diet. error.
No CVE has been assigned but the vulnerability has been categorized as moderate. The researcher was given $ 2.900 as a financial reward.
Source of information: zdnet.com