Reflected XSS at https://www.paypal.com/ppcreditapply/da/us

Researchers identified endpoints that were vulnerable to reflected XSS, due to insufficient input sanitization. This could allow malicious client-side content to be rendered by the app, which could affect a user's session, browser, or the contents of the page itself. The issue was resolved by applying a specific filter on the input and returning it as a sanitized string.