Non-administrative functions display success banners after multiple actions that reflect user-input directly without sanitization.
Receipt ID, eg.
<img src=x onerror="alert('LName')" />,
<img src=x onerror="alert('FName')" />,
<img src=x onerror="alert('RId')" />
external iddo not get sanitized when passed to the banner display function(s).
Cross-site Scripting (XSS) is an attack vector that allows arbitrary code execution on a vulnerable page, which may lead to more severe impact such as session theft, data theft, phishing and malicious/unintended processing on the client-side.
Testing was performed on a local deployment.