Reflected XSS on Partners Subdomain

There was a reflected cross site scripting vulnerability at https://partners.uber.com/. By providing a specifically crafted value, it was possible for an attacker to inject malicious content into the partners.uber.com site, which would then be executed when the site is loaded. We enjoyed working with @mefkan on this issue and look forward to their next submission to our program.