XSS issue on gosearchresults.com

[m-vinay]

I found a reflected XSS issue on gosearchresults.com
Steps to reproduce:
Call the following URL in Mozilla Firefox: https://lavasoft.gosearchresults.com/?sbtn=&q=ola%3Cscript%3Ealert%28%27I+can+send+any+message+here%21%27%29%3C%2Fscript%3E&tt=VM__GS__S4LAVA__vmn__webcompa__1_0__go__ch_WCYID10438__180722__yrff&pid=5ac784309091147a162b4431&sr=0

An alert box with "I can send any message here!" appears. This means that an attacker has full control of the scripts, that are executed in the victims browser.
An attack vector would be sending an evil link via e-mail, messenger, etc. As the victim trusts the domain gosearchresults.com, it will click the link and could be redirected to a site hosting a browser exploit kit.
This abuses the trust of gosearchresults.com
When i enter any script in URL bar then after clicking enter it encrypt the URL in encoded form but still script gets exicuted. This is a big problem by which a hacker can steal the cookies of victim's browser and also can redirect that user to any other site or search engine.

[daviddengcn]

gosearchresults.com has nothing to do with go-search.org.