PayPal has patched a cross-site scripting vulnerability in its currency conversion endpoint. The vulnerability was discovered in February 2020 by a security researcher who was paid $2,900 as part of HackerOne’s bug bounty program. An attacker exploiting the vulnerability could perform JavaScript injection or add other malicious code to the URL to access the document object model on the victim’s browser. PayPal says the vulnerability was resolved by implementing additional controls to validate and sanitize user input before being returned in the response. XSS vulnerabilities are a common attack vector for hackers.”]
Source: https://www.cuinfosecurity.com/paypal-mitigates-xss-vulnerability-a-15984