Reflected Cross-Site Scripting (XSS) vulnerability allows attackers to execute arbitrary external javascript code in the browser.
In the application there exists a XSS vulnerability that occurs in the api:
Payload: "><script>alert(window.location)</script>
GET /system/api/restApiViewer: Passing XSS payload to any param leads to XSS vulnerability.
GET /system/api/graphqlViewer: Passing XSS payload to param `apiKey` leads to XSS vulnerability.
https://drive.google.com/file/d/1QS4ayL3Wngxd0Vqf9l8kob9pKomFJV4X/view?usp=share_link