DOM XSS on app.starbucks.com via ReturnUrl

**Summary:** XSS Can be achieved via the ReturnUrl when signing in on app.starbucks.com **Platform(s) Affected:** app.starbucks.com ## Steps To Reproduce: 1. Visit https://app.starbucks.com/account/signin?ReturnUrl=%09Jav%09ascript:alert(document.domain) 2. Sign in ## Supporting Material/References: {F461364} ## How can the system be exploited with this bug? XSS could be used to steal the account of any victim that signs in via the url. ## How did you come across this bug ? Retesting report #438240 ## Recommendations for fix Improve the checks on ReturnUrl such as not allowing hex characters 00-1F ## Impact As with any xss, it could be used to steal the cookies of the victim to gain access to their account.