Summary by GxbNt
A reflected XSS vulnerability was identified in the NASA SkyView service at the following endpoint: https://skyview.gsfc.nasa.gov/current/cgi/vo/sia.pl
The issue is present in the FORMAT parameter, which fails to properly sanitize user-supplied input. By injecting a crafted payload, arbitrary JavaScript can be executed in the context of the user's browser. An example of a malicious request is shown below:
https://skyview.gsfc.nasa.gov/current/cgi/vo/sia.pl?survey=digitized&POS=99,10&SIZE=0.1&FORMAT=%22%3E%3Csvg%20xmlns=%22http://www.w3.org/2000/svg%22%20onload=%22alert(1)%22%3E%3C/svg%3E