Gallup has fixed two cross-site scripting (XSS) errors on its website that could have enabled data theft and account takeover, according to a report published by Checkmarx on Tuesday. The two flaws were due to lack of proper sanitization or encoding of certain query string parameters at certain Gallup endpoints, which an attacker could have exploited by appending their own values to the ends of otherwise-legitimate Gallup domain URLs and convincing victims to click the manipulated links.

Source: SC Magazine