Concrete CMS: Cross-Site Scripting in getMarketplacePurchaseFrame

The $mp-getProductBlockID variable in the getMarketplacePurchaseFrame function view on Github is not being filtered properly to protect against HTML injection/XSS. This leads to XSS vulnerabilities in for example connect.php on line 14 view on Github when visiting a URL like:...