The Payflow gateway is one of PayPal's merchant services. According to its official overview, clients should "feel secure knowing that 128-bit SSL encryption lets customers confidently use their credit cards online". They forgot to warn their customers that are still susceptible to attack via cross-site scripting.
Fraudsters can use this vulnerability for phishing attacks and stealing of cookie based authentication credentials. It is only a matter of time that PayPal resolves this security issue.
It is interesting to mention some XSS vulnerable websites that Nemessis submitted to our archive: