Zomato: Zomato.com Reflected Cross Site Scripting

zomato.com/php/liveSuggest.php takes various field input to show customized out put for the users. The data entered to entityid field is not santized or html encoded which allows user to add payloads via this parameter which will be reflected to user. Steps to reproduce : Please click on below li...

zomato.com XSS vulnerability

Vulnerable URL: https://www.zomato.com/es/westchester-county/take-away-in-purchase?cft=2=0=1=1'%7D%3Bconfirm%27OPENBUGBOUNTY%27%3Ba%3d%7B'a':'1=2 Details: Description| Value ---|--- Patched:| Yes, at 27.07.2017 Latest check for patch:| 27.07.2017 07:06 GMT Vulnerability type:| XSS Vulnerability...