Vulnerability Laboratory researcher Benjamin Kunz Mejri discovered what he described as a “Filter Bypass and Persistent Profile Mail Encoding Web Vulnerability,” according to a 30 March advisory.
The bug also could have allowed session hijacking, persistent redirecting to external sources and persistent manipulation of affected or connected service module context, the advisory said.
The vulnerability existed in the profile section of the PayPal.com application programme interface request.
“We are able to inject own malicious script codes to the PayPal service emails via filter bypass and application-side cross site scripting bug,” Mejri told the Register.
Mejri reportedly discovered the flaw in October 2015, but waited until it was patched to disclose.