Good month to everyone! A cross-site scripting vulnerability affecting PayPal's Payflow payment gateway, was discovered by Nemessis just two days after another PayPal XSS was fixed.
The Payflow gateway is one of PayPal's merchant services. According to its official overview, clients should "feel secure knowing that 128-bit SSL encryption lets customers confidently use their credit cards online". They forgot to warn their customers that are still susceptible to attack via cross-site scripting.
Fraudsters can use this vulnerability for phishing attacks and stealing of cookie based authentication credentials. It is only a matter of time that PayPal resolves this security issue.
It is interesting to mention some XSS vulnerable websites that Nemessis submitted to our archive:
