The WebHybridClient class in PayPal 5.3 and previous versions for Android allows remote malicious users to execute arbitrary JavaScript on the system.
paypal paypal