Niccolo Parlanti

**Name of the Vulnerable Software and Affected Versions** podinfo versions prior to 6.11.3 **Description** A reflected cross-site scripting issue exists in the '/echo' and '/api/echo' endpoints. The `echoHandler` function writes request body content directly to the response without setting explicit 'Content-Type' or 'X-Content-Type-Options' headers. This allows attackers to use cross-origin HTML pages with auto-submitting forms containing script payloads in the request body. Because of Go's content type detection, these responses are served as 'text/html', enabling the script to execute within the podinfo origin context when a victim visits the malicious page. **Recommendations** Update to a version later than 6.11.2. As a temporary workaround, restrict access to the '/echo' and '/api/echo' endpoints to minimize the risk of exploitation.