bug-bounty621
facebook427
xss316
google100
rce99
csrf60
microsoft56
web355
account-takeover53
writeup50
sqli41
apple38
ssrf34
cve33
exploit32
dos31
privilege-escalation28
defi28
cloudflare27
smart-contract-vulnerability25
idor24
subdomain-takeover24
smart-contract23
clickjacking23
ethereum23
vulnerability-disclosure21
access-control21
auth-bypass19
malware19
remote-code-execution18
lfi17
cors16
reverse-engineering15
race-condition15
cloud15
authentication-bypass14
solidity14
oauth12
info-disclosure12
aws12
browser11
phishing11
sql-injection11
delegatecall11
denial-of-service11
web-application-security10
web-security9
token-theft9
vulnerability9
responsible-disclosure9
0
bug-bounty
A critical remote code execution vulnerability was discovered in PayPal's manager.paypal.com through unsafe Java object deserialization in the 'oldFormData' parameter, exploitable via the Commons Collections gadget chain and ysoserial tool to execute arbitrary OS commands and access production databases. The vulnerability was reported in December 2015 and patched by PayPal's security team.
remote-code-execution
java-deserialization
unsafe-deserialization
object-deserialization
commons-collections
ysoserial
paypal
bug-bounty
web-application
post-parameter-injection
gadget-chain
arbitrary-command-execution
PayPal
manager.paypal.com
Michael Stepankin
artsploit
Chris Frohoff
Gabriel Lawrence
Mark Litchfield
FoxGlove Security
ysoserial
Commons Collections