Paypal


reports in last 90 days

7

disclosed resolved issues

0

disclosed informative issues

0

disclosed N/A issues

Listed on HackerOne — Updated on 2019/10/15

Bug Title Bug Type Found By Report Info Report Status

High IDOR to add secondary users in www.paypal.com/businessmanage/users/api/v1/users

Insecure Direct Object Reference (IDOR) born2hack Time to triage: 1 Days and 18 hours


Time to close: 7 Days and 3 hours
Resolved

High Stored XSS on https://paypal.com/signin via cache poisoning

HTTP Request Smuggling albinowax Time to triage: 21 Days and 21 hours


Time to close: 8 Days and 4 hours
Resolved

High Bypass for #488147 enables stored XSS on https://paypal.com/signin again

HTTP Request Smuggling albinowax Time to triage: 0 Days and 1 hours


Time to close: 66 Days and 4 hours
Resolved

Medium XSSI on refer.xoom.com allows stealing email addresses and posting to Twitter on behalf of victim

Cross-Site Request Forgery (CSRF) alexbirsan Time to triage: 0 Days and 0 hours


Time to close: 57 Days and 19 hours
Resolved

Medium [Venmo Android] Remote theft of user session

Open Redirect bagipro Time to triage: 2 Days and 15 hours


Time to close: 88 Days and 6 hours
Resolved

Medium [PayPal Android] Remote theft of user session using push_notification_webview deeplink

Open Redirect bagipro Time to triage: 34 Days and 21 hours


Time to close: 50 Days and 22 hours
Resolved

Medium XSS [flow] - on www.paypal.com/paypalme/my/landing (requires user interaction)

Cross-site Scripting (XSS) - Generic stefanofinding Time to triage: 4 Days and 12 hours


Time to close: 11 Days and 6 hours
Resolved