17-year old German schoolboy Robert Kugler has posted information on a cross-site scripting vulnerability in payment processing service PayPal to the Full Disclosure mailing list. Kugler wanted to report the bug to PayPal as part of its official Bug Bounty Program, but the program only pays out to participants who are 18 or over. To vent his frustration, he has now gone public with the bug.
PayPal servers apparently fail to check strings entered in the German version of the site-wide search field with sufficient rigour. The result is that it is possible to enter JavaScript in this field, which the server then sends to the browser. The browser then executes this code. Attackers can exploit such cross-site scripting (XSS) vulnerabilities to, among other things, steal access credentials. The issue can be demonstrated by entering
"<SCRIPT>alert('XSS strikes again')</SCRIPT>
in the search field. The English language version of search on PayPal directs users to a different, apparently externally run, search engine. The XSS flaw could though still be of use in attacks on English speakers using PayPal.
[attachment=4621]
Read more: http://www.h-online.com/security/news/item/PayPal-vulnerable-to-cross-site-scripting-again-1871763.html
700,000 WordPress Sites Vulnerable to Takeover, No Fix Available
Veeam warns of critical bugs in Veeam ONE monitoring platform![[correlate]](/data/avatars/s/79/79653.jpg?1556985072)
Did You Know Your Browser’s Autofill Credentials Could Be Stolen via Cross-Site Scripting (XSS)