Simple reflected XSS bug in Avans’ search box:
Another set of unfiltered input fields was in:
which is a Step 3/4 after adding a product to the cart. Filling those fields with a standard value of:
redirects to the:
which pops an alert box.
Bonus: It was possible to create an account without a password.
Bugs’ lifespans were short, because of a quick Avans.pl reaction. Good job.