Reflected cross-site scripting (XSS) vulnerability in scores.ubnt.com allows attackers to inject arbitrary web script via p parameter.

Dear Ubiquiti Networks bug bounty team, # Short Description --- scores.ubnt.com is still vulnerable to reflected XSS, a form of client-side code injection wherein one can execute malicious scripts into a page. The fix to https://hackerone.com/reports/158484 does not suffice for some browsers (mainly older versions) since there are `style` attribute XSS vectors. # Why does this vulnerability exist? --- Cross-site scripting exists whenever input can be interpreted as code. Scripts can be injected into the `style` attribute via the `p` parameter as follows: https://scores.ubnt.com/form.html?uid=259&p=airFiber);xss:expression(alert(1));border-image:url(foobar Here are a list of payloads: ~~~ );xss:expression(alert(1));border-image:url(foobar );border-image: url(blocked:alert(1));content:url(foobar ~~~ # What are the exploits? --- A cross-site scripting vulnerability allows an attacker to modify the page. This means he/she can inject forms to steal usernames, passwords, cookies (no HttpOnly flag present) and so forth. In short, XSS opens the doors to plenty of phishing techniques. A very good list of malicious payloads can be found here: http://www.xss-payloads.com/payloads.html