PayPal


18 total issues disclosed

$236,000 total paid publicly


Most disclosed (5 disclosures) — HTTP Request Smuggling

View disclosed reports



Disclosed Reports


Report Title Vulnerability Type Disclosed By Severity Disclosed on
Unsafe deserialization leads to token leakage in PayPal & PayPal for Business [Android] Deserialization of Untrusted Data bagipro Medium 2021-04-30
RCE via npm misconfig -- installing internal libraries from the public registry Code Injection alexbirsan Critical 2021-02-09
Reflected XSS at https://www.paypal.com/ppcreditapply/da/us Cross-site Scripting (XSS) - Reflected linkks Medium 2020-05-19
Token leak in security challenge flow allows retrieving victim's PayPal email and plain text password Missing Authentication for Critical Function alexbirsan High 2020-01-08
Token leak in security challenge flow allows retrieving victim's PayPal email and plain text password Missing Authentication for Critical Function alexbirsan High 2020-01-08
Token leak in security challenge flow allows retrieving victim's PayPal email and plain text password Missing Authentication for Critical Function alexbirsan High 2020-01-08
DoS on PayPal via web cache poisoning Denial of Service albinowax Medium 2019-10-23
DoS on PayPal via web cache poisoning Denial of Service albinowax Medium 2019-10-23
DoS on PayPal via web cache poisoning Denial of Service albinowax Medium 2019-10-23
Bypass for #488147 enables stored XSS on https://paypal.com/signin again HTTP Request Smuggling albinowax High 2019-08-07
Stored XSS on https://paypal.com/signin via cache poisoning HTTP Request Smuggling albinowax High 2019-08-07
Stored XSS on https://paypal.com/signin via cache poisoning HTTP Request Smuggling albinowax High 2019-08-07
Bypass for #488147 enables stored XSS on https://paypal.com/signin again HTTP Request Smuggling albinowax High 2019-08-07
Bypass for #488147 enables stored XSS on https://paypal.com/signin again HTTP Request Smuggling albinowax High 2019-08-07
IDOR to add secondary users in www.paypal.com/businessmanage/users/api/v1/users Insecure Direct Object Reference (IDOR) born2hack High 2019-07-30
[PayPal Android] Remote theft of user session using push_notification_webview deeplink Open Redirect bagipro Medium 2019-02-08
[Venmo Android] Remote theft of user session Open Redirect bagipro Medium 2019-02-08
XSS [flow] - on www.paypal.com/paypalme/my/landing (requires user interaction) Cross-site Scripting (XSS) - Generic stefanofinding Medium 2018-11-06