Reflected URL parameter name, potential XSS (multiple endpoints)
URL parameter names were echoed unencoded into the response across multiple endpoints, creating reflected-XSS-style vectors on any consumer that renders the response into HTML without escaping.
Description
Several endpoints echoed the URL parameter NAME (not just value) directly into the response body without HTML-encoding. A request crafted with attacker-controlled parameter names produced response content containing those names verbatim. Any consumer that subsequently rendered the response into HTML would interpret the attacker-controlled characters.
Impact
Reflected XSS vector across multiple endpoints. Exploitability depends on which consumers render the response into HTML; on its own it's an injection primitive rather than a stored XSS.
Recommendation
HTML-encode all reflected content (both parameter names and values) before including in any response body that could be rendered as HTML. Prefer structured JSON responses where reflection of arbitrary attacker-controlled keys is impossible.
Ipal Network: Confirmed. Zealynx: Fixed.