Reflected XSS in www.lahitapiola.fi (/cs/Satellite) using Oracle WebCenter -page

There is possible to include HTML/Javascript code in the parameter "destpage" of one of the Fatwire pages. The affected Fatwire page is: OpenMarket/Xcelerate/UIFramework/LoginError This allows to launch a reflected XSS attack by creating a simple URL like the following: https://www.lahitapiola.fi/cs/Satellite?destpage="><h1>xxx<script>alert(111)</script>&pagename=OpenMarket%2FXcelerate%2FUIFramework%2FLoginError The XSS not persistent, so only users that visit the malicious URL will execute the injected Javascript.