Hello Moritz, Thanks for your report. > The following URLs demonstrate that it is possible to inject client side > script (such as Javascript) and HTML tags into the HTML form (1) and error message (2) output generated by the "advanced [PTS] subscription" script. The PTS does not have a security sensitive context, i.e. there's no sensitive cookie information that you can steal from the user in this way. I don't think this is in any way an issue, even not with "normal" severity. Thijs
Attachment:
signature.asc
Description: This is a digitally signed message part