pay is vulnerable to Cross-Site Scripting (XSS). The vulnerability is caused by a lack of sanitization due to the back
parameter in payments_controller.rb
which allows an attacker to inject an arbitrary redirect URL resulting in reflected Cross-site scripting.