Greetings!
I’ve found a reflected XSS on a login page on█████ . The vulnerable link is: https://███████/users/login?error=<img src>
█████████
An attacker can inject crafted javascript that can steal user cookies, impersionate, steal information, deface the website and redirect user to another domain
██████████
Access https://██████/users/login?error=<img src>
Sanitize the output with htmlspecialchars();