Shubham Upadhyay, sent in the permanent XSS that affects products listings on to and has revealed that users would need a seller account to exploit the XSS bug. “I’ve found a critical persistent xss bug on ebay. for that you need a seller account “Once you login to your seller account on eBay, create a listing for sale” notes Upadhyay.

EBay has been notified but, the vulnerability still remains. Firefox users may avoid the XSS script by using the NoScript addon notes ZDNet.

XSSed has noted that the injected script has been seen to execute in Google Chrome on another subdomain with an iframe. Upadhyay has claimed that the script also executes in when the user is logged in using his / her seller account.