Reflected XSS on Pangle Endpoint

A cross-site scripting (XSS) vulnerability was found at the Pangle endpoint via the 'redirect' parameter. This was caused by the reflection of user-supplied data without appropriate HTML escaping or output encoding. As a result, a JavaScript payload could have been returned by the above endpoint and executed within a user's browser. We saw no evidence of exploitation before the vulnerability was fixed and additional mitigations applied. We thank @m7x for reporting this to our team and confirming its remediation.