Am I stupid or is this guy calling a XSS "Arbitrary Code Execution"?
It also seems to be a self-xss (a XSS on his account profile, which only he can see).
How can you write so much text and be unclear about what you are doing? No wonder Paypal didn't understand anything.
My understanding is that the author is saying they are able to do arbitrary code execution on Paypal's servers (at least the ones hosting their help center). If I understand correctly, one could upload executable code to certain profile fields in one's developer account and then get their help center to execute those.
I suppose the criticality of that would depend on what all was hosted on their help center server as well as what other servers one could gain access to via it.
Indeed this is one of the most verbose and rambling exploit descriptions I've seen... apparently you can inject some script/HTML code into a field in your profile, but I don't see how that could lead to this:
but can also remotly execute arbitrary codes to access local web-server files or configs
There must be something I'm not understanding. According to the timeline, this was around a year and a half from reporting to fix? I find it hard to imagine PayPal would let such a critical bug go unfixed in their services for so long - it's a higher risk to them than to anyone.
How can you write so much text and be unclear about what you are doing? No wonder Paypal didn't understand anything.