The application reflects user-supplied input in HTTP responses without proper encoding or sanitization, allowing attackers to inject malicious scripts.
An attacker could steal session cookies, capture user credentials, perform actions on behalf of users, redirect users to malicious sites, or deface the application.
Implement context-aware output encoding for all user-supplied data. Use Content Security Policy (CSP) headers. Validate and sanitize all input on the server side. Consider using templating engines that auto-escape by default.