First i found this bug in logitech company and report it to hackerOnebut they responded " This tool is from a 3rd party vendor and we are wondering if they know about the issue or if you have reached out to them about this yet. www.sdl.com is the vendor in question" as you all see URL encoded GET input error was set to login.invalid'"()&% can trigger xssand JS will executesorry I haven't been able to share link because of public and responsible disclosuresyou can contact me at email@example.com
Hello Fikri, I would recommend checking the general.properties file to see if the setting for enable_xss_protection is set. If not, I would try setting this to "true". It should help prevent cross-site-scripting. Thanks!
Additional settings can be configured to increase security options in WorldServer. Please check out the article below which includes the parameter to prevent cross-site scripting.
How to increase security options in WorldServer