Reflected input (multiple), potential XSS vector (address JSON parameter reflected unencoded)
Address-related JSON parameters were reflected back into responses without encoding, creating an injection vector if attacker-controlled values reach a consumer that renders into HTML.
Description
The address handling endpoint reflected JSON parameter values (including address and related fields) back into responses without proper encoding. Attacker-controlled values containing HTML special characters were echoed verbatim into the response body.
Impact
Reflected XSS primitive on the address handling surface. Compounds with other reflection issues to give an attacker multiple injection points.
Recommendation
Validate and reject malformed addresses at the input boundary (regex or library validation for the address format). Even for valid addresses, encode reflected content in responses to defeat the broader injection class.
Ipal Network: Confirmed. Zealynx: Fixed.