Development » Algonyx

Issue Description
On the Create New Password section under the Agency Profile module, the application does not properly sanitize user input in the Password and Confirm Password fields. When an XSS payload such as <script>alert(1)</scripT> is entered and submitted using the Reset Password button, the system triggers an unexpected warning message and exposes a raw backend variable in the UI response.

This behavior indicates insufficient input sanitization and improper error handling, which may lead to potential security risks if malicious payloads are processed without proper validation.

Module / Page
Agency Profile → Create New Password

Module Section
Password Reset Form

Sprint / Module
Sprint-5 (Auth & Profile Setup Module)

Screen Size
Desktop

Tested By
Aman Bhuiyan

Steps to Reproduce¶

1. Navigate to the Create New Password section under the Agency Profile module.
2. In both the Password and Confirm Password fields, enter the following payload:
   <script>alert(1)</scripT>
3. Click the Reset Password button.
4. Observe the system response and UI behavior.

Expected Result
The system should properly validate and sanitize the input, reject malicious payloads, and display a secure validation message without exposing any backend variables or processing script content.

Actual Result
An unexpected warning message appears, and a raw backend variable is exposed in the UI response, indicating insufficient input sanitization and improper error handling.

Attachments
PoC

Types of Issue
Security Issue, Input Validation Issue

Root Cause:

Impacted Area: