Is the XSS exploitable? Can you insert data in the phone field via a form submit or URL param? Seems like the attack requires exceedingly unlikely user interaction.
Did you contact the Portuguese National Data Protection Agency? If you can leak phone numbers, they should be informed.
Did you contact the Portuguese National Data Protection Agency? If you can leak phone numbers, they should be informed.
Cool findings :)