Based on the payload the author describes, it does look like an XSS.
The server response probably injected the “continue” parameter into a <meta http-equiv=“refresh” content=”0: url=…” />. Google’s bug bounty team likely would have adjusted the reward downward if it was not an XSS.
The server response probably injected the “continue” parameter into a <meta http-equiv=“refresh” content=”0: url=…” />. Google’s bug bounty team likely would have adjusted the reward downward if it was not an XSS.