Two issues, first an XSS requiring two injection points to bypass the web-application firewall and a cache poisoning attack making it possible for the XSS to be stored.

Cross-Site Scripting - The first XSS discovered was the the gdId cookie would be reflected in the page, however because the WAF would block the request when using a space or including an HTML tags it couldn’t be weaponized on its own. The page also reflected the user’s IP nearby, which can be influenced through X-Forwarded-For headers, Combining these two leading to XSS.

Cache Poisoning - The application would cache pages if they had a .js or .css file extension which could be appended to a request without changing the endpoint it resolved to. Allowing the XSS requiring custom headers to be exploitable.