Hi there!

I upgrade my Magento CE to 2.3.5.p1 version but I still have xss vulnerabilities.

Vega scan throw me this:

Classification Input Validation Error
Resource /catalogsearch/result/
Parameter q
Method GET
Risk High


Cross-site scripting (XSS) is a class of vulnerabilities affecting web applications that can result in security controls implemented in browsers being circumvented. When a browser visits a page on a website, script code originating in the website domain can access and manipulate the DOM (document object model), a representation of the page and its properties in the browser. Script code from another website can not. This is known as the "same origin policy", a critical control in the browser security model. Cross-site scripting vulnerabilities occur when a lack of input validation permits users to inject script code into the target website such that it runs in the browser of another user who is visiting the same website. This would circumvent the browser same-origin policy because the browser has no way to distinguish authentic script code from inauthentic, apart from its origin.

GET /catalogsearch/result/?q=1'%20-->">'>'"

GET /http:/dominio.com/catalogsearch/result/?q=1'%20style=-->">'>'"

I override the module to sanitize the input value but still throws the same.

Does this vulnerability own to Magento Core or is there anything else i can do?

Thanks in advance.