The tester was able to inject JavaScript into the URL parameter, and the browser executed the script:

• AV:N: The hacker will connect through a network to execute the attack.
• AC:L: The complexity is very low; the hacker tested the JavaScript on all browsers, and it worked.
• PR:N: No privilege is required.
• UI:N: The victim needs to click on a link through a social engineering attack.
• S:C: The scope is not the web server only; the victim browser is impacted, as well.
• C:L: Since the HttpOnly flag is set, the confidentiality impact is low, because the attacker has not accessed sufficient cookie data to hijack the victim's session.
• I:L: The hacker can probably change the data only in the victim's browser context.
• A:N ...