Reflected XSS Vulnerability in Application Endpoint Enables Arbitrary JavaScript Execution

A reflected cross-site scripting vulnerability has been identified in an application endpoint, allowing attackers to inject arbitrary JavaScript into user sessions. The flaw resides in how the application handles the "after category" parameter, copying its value directly into an HTML tag attribute wrapped in single quotation marks without proper sanitization or encoding.

The proof-of-concept payload—`%27%3E%22%3Csvg%2Fonload=confirm%28document.domain%29%3E`—was submitted through the site's search function and successfully triggered a JavaScript execution confirmation, demonstrating the vulnerability's practicality. Reflected XSS flaws emerge when user-supplied data from a request is echoed into the application's immediate response without unsafe character handling. An attacker capable of crafting a malicious link containing the payload could induce victims to click it, causing the attacker's JavaScript to execute within the victim's browser context.

The implications extend to session hijacking, including the potential theft of session tokens or login credentials stored in the browser. Attackers could also redirect users to phishing pages, modify page content, or escalate access depending on the application's authentication state. This class of vulnerability typically requires victim interaction—such as clicking a crafted link—making it exploitable through phishing campaigns or compromised external links. Remediation involves implementing proper input validation, output encoding, and context-aware escaping of user-supplied data before reflection into HTML attributes.