Is it part of the challenges or has been miss out?

 It's been 14 years since my last post. Sharing a bit findings in one of the a8db1d82db78ed452ba0882fb9554fc9 😄 challenges i've been recently. Not sure if this is an intentional flaw, but what i am really sure is, this is not part of the challenges, as it has no FLAGs at all. 

 

The page parameter 'username' and 'password' is vulnerable to c9ee90255cdc1ef5f247317065e74111 cr0ss-s1t3-scr1pt1ng. Every time the page is loaded, script is executed. I have submitted the findings to organizers.