Interesting Blind XSS vulnerability.
PayPal security team contacted Kunz Mejri after noticing that whenever they accessed his security researcher profile they were presented with a message that read “Hi.”The Vulnerability Laboratory Research Team (Benjamin Kunz Mejri) discovered an application-side vulnerability in the official PayPal Inc Ethernet portal backend application (api).
They tried to blind evade and bypass the online service filter validation of the backend listings with main values of the profile.
Means whenever a moderator or admin is watching the profile of the PayPal Inc db listed user in the Ethernet, the persistent injected code executes.
In the attack scenario malicious test codes with scripts were injected in the most attractive values of the PayPal user profile database -> `bank account owner/holder (cardholder)`, `name/surname`, `company name` and of course the `account owner`.
- Bank Account Owner
- Name and Surname
- Account Owner Affected
- PayPal Inc – Ethernet Backend Portal (User Profile Listing)
CVSS (common vulnerability scoring system) count of 8.9. Exploitation of the application-side remote web validation vulnerability requires a low privileged PayPal account with restricted access and no user interaction. Successful exploitation of the vulnerability results in session hijacking, account database compromise, dev/admin account compromise, external redirects and persistent manipulation of affected or connected module context.