Potential XSS Vulnerability in Acronis Login Callback URL

## Summary The login callback URL, https://learn.acronis.com/portal/, is vulnerable to Cross-Site Scripting (XSS) attacks. When a user logs in and is redirected to this URL, the redirectUrl parameter is not properly sanitized, allowing an attacker to inject arbitrary JavaScript code. This code could be used to steal the user's session cookie, perform phishing attacks, or deface the website. ## Steps To Reproduce I was able to exploit this vulnerability by crafting a URL that included malicious JavaScript code in the redirectUrl parameter. When a user clicks on this URL and logs in, the injected code is executed in the user's browser. For example, the following URL would display an alert containing the website domain: https://learn.acronis.com/portal/login-callback?redirectUrl=javascript:alert(document.domain) An attacker could replace the alert with malicious code that steals the user's session cookie or redirects the user to a phishing website. {F3449354} ## Impact This vulnerability could allow an attacker to: - Steal user session cookies - Perform phishing attacks - Deface the website - Take control of user accounts