The application is vulnerable to reflected cross-site scripting (XSS). The requested data, which contains JavaScript code, is reflected in the response. Attackers could trick users into following a link or navigating to a page that posts a malicious JavaScript statement to the vulnerable site, causing the malicious JavaScript to be rendered by the site and executed by the victim client. The JavaScript code could be used for several purposes including stealing user cookies or as a second step to hijacking a
user’s session. Another attack plan could include the possibility of inserting HTML instead of JavaScript to change/modify the contents of the vulnerable page, which could be used to trick the client.
ADVISORIES | August 31, 2019