Reflect XSS and CSP Bypass on https://www.paypal.com/businesswallet/currencyConverter/

An endpoint used for currency conversion was found to suffer from a reflected XSS vulnerability, where user input was not being properly sanitized in a parameter in the URL. This could lead to a malicious user injecting malicious JavaScript, HTML, or any other type of code that the browser may execute. The malicious script will execute in the browser page DOM of another user typically without their knowledge or consent. This was resolved by implementing additional controls to validate and sanitize user input before being returned in the response.