When you try to access private pages on the domain https://td.intelliresponse.com/a6 you are redirected to a login page, which has reflected values in the DOM from the URL on the parameter βwinβ. Once there is no proper handle for the data reflected, it turns out into a vulnerable path on the application that could be used to perform a Cross Site Scripting attack.
Access the current URL and the alert with your cookie will pop up on the screen: https://td.intelliresponse.com/a6/shared/popupLogin.jsp?win="><script>alert(document.cookie)</script>
{F2149294}
Mitigations for XSS typically involve sanitizing data input (to make sure input does not contain any code), escaping all output (to make sure data is not presented as code), and re-structuring applications so code is loaded from well-defined endpoints.
An attacker could craft a payload to extract user admin credentials or steal his session and could perform several damages to the application by abusing the admin privilege, reading private data, or even taking over users accounts.