...
Make sure that cookies are handled securely. In the Administration service: Go to Manage System > Access Points > Manage Global Access Point Settings > Advanced settings
The following checkboxes must be checked:
...
Click Browse in the upper right corner of the window.
Locate the passwordSet.js file under access-point/built-in-files/wwwroot/wa/scripts
Click the edit symbol (sheet with a pencil) and edit the file as explained below:
In the method loadPage locate this row:
$(".form-message").html( decodeUrlParameter(decodeURI( message ) )) ;Change it (by replacing html with text) to:
$(".form-message").text( decodeUrlParameter(decodeURI( message ) )) ;In the method displaySuccessMessage locate this row:
$(".form-message").html( decodeUrlParameter( message ) );Change it (by replacing html with text) to:
$(".form-message").text( decodeUrlParameter( message ) );
Click Save and close the browser window.
Click Publish (it may not be blue at this point but it will still work).
Validate the fix by visiting the following link:
https://<your dns name>/wa/passwordSet.html?userID=testuser</script>&phoneNumber=&message=<script>alert(%27if%20this%20is%20shown%20in%20a%20popup%20the%20system%20is%20not%20safe.%20If%20it%20is%20shown%20in%20the%20web%20page%20the%20system%20is%20safe%27);</script>
...