Description: A cross-site scripting (XSS) reflected vulnerability in the evolution v.3.2.3 installation process connection allows a local attacker to execute arbitrary web scripts via a crafted payload injected into the uid parameter.
Attack Vectors: A vulnerability in the sanitization of the uid parameter of the Database installation process allows JavaScript code to be injected.
During the installation process we enter the XSS payload in the uid parameter and when we click on next, we will obtain the XSS pop-up.
'"><svg/onload=alert('XSS')>
In the following image you can see the embedded code that executes the payload in the instalaltion process.
And the result will be reflected with the pop-up of the following evidence: