Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Sign In Sign Up

PayPal - HackerOne Reports

View on HackerOne

13

Total Reports

1

Critical

4

High

8

Medium

0

Low

[PayPal Android] Remote theft of user session using push_notification_webview deeplink

Reported by: bagipro | Disclosed:

Medium

Weakness: Open Redirect

DoS on PayPal via web cache poisoning

Reported by: albinowax | Disclosed:

Medium

Weakness: Uncontrolled Resource Consumption

Bounty: $9700.00

IDOR to add secondary users in www.paypal.com/businessmanage/users/api/v1/users

Reported by: born2hack | Disclosed:

High

Weakness: Insecure Direct Object Reference (IDOR)

Bounty: $10500.00

RCE via npm misconfig -- installing internal libraries from the public registry

Reported by: alexbirsan | Disclosed:

Critical

Weakness: Code Injection

Bounty: $30000.00

Reflected XSS at https://www.paypal.com/ppcreditapply/da/us

Reported by: linkks | Disclosed:

Medium

Weakness: Cross-site Scripting (XSS) - Reflected

Stored XSS on https://paypal.com/signin via cache poisoning

Reported by: albinowax | Disclosed:

High

Weakness: HTTP Request Smuggling

Bounty: $18900.00

Unsafe deserialization leads to token leakage in PayPal & PayPal for Business [Android]

Reported by: bagipro | Disclosed:

Medium

Weakness: Deserialization of Untrusted Data

[Venmo Android] Remote theft of user session

Reported by: bagipro | Disclosed:

Medium

Weakness: Open Redirect

XSSI on refer.xoom.com allows stealing email addresses and posting to Twitter on behalf of victim

Reported by: alexbirsan | Disclosed:

Medium

Weakness: Cross-Site Request Forgery (CSRF)

Bounty: $3500.00

Reflect XSS and CSP Bypass on https://www.paypal.com/businesswallet/currencyConverter/

Reported by: cr33pb0y | Disclosed:

Medium

Weakness: Cross-site Scripting (XSS) - Reflected

Bypass for #488147 enables stored XSS on https://paypal.com/signin again

Reported by: albinowax | Disclosed:

High

Weakness: HTTP Request Smuggling

Bounty: $20000.00

XSS [flow] - on www.paypal.com/paypalme/my/landing (requires user interaction)

Reported by: stefanovettorazzi | Disclosed:

Medium

Weakness: Cross-site Scripting (XSS) - Generic

Token leak in security challenge flow allows retrieving victim's PayPal email and plain text password

Reported by: alexbirsan | Disclosed:

High

Weakness: Missing Authentication for Critical Function

Bounty: $15300.00