Good month to everyone! A cross-site scripting vulnerability affecting PayPal's Payflow payment gateway, was discovered by Nemessis just two days after another PayPal XSS was fixed.

Link to working XSS as of today.

Mirror:
http://www.xssed.com/mirror/24422/

The Payflow gateway is one of PayPal's merchant services. According to its official overview, clients should "feel secure knowing that 128-bit SSL encryption lets customers confidently use their credit cards online". They forgot to warn their customers that are still susceptible to attack via cross-site scripting.

Fraudsters can use this vulnerability for phishing attacks and stealing of cookie based authentication credentials. It is only a matter of time that PayPal resolves this security issue.

It is interesting to mention some XSS vulnerable websites that Nemessis submitted to our archive:

livechat.ebay.com -  Still vulnerable.
developer.ebay.com - Still vulnerable.
groups.ebay.com - Fixed.
lapi.ebay.com - Fixed.
cn.widget.yahoo.com - Still vulnerable. Only on IE.
wizards.yahoo.com - Fixed.
moneygram.com - Still vulnerable.
fastapp.usbank.com - 5 months have passed and still vulnerable.