The endpoint returns a variable from the client input that has not been encoded.
A potential XSS was found. It could be used to execute unwanted JavaScript in a client's browser.
WASC-8: Cross Site Scripting
OWASP: XSS Prevention Cheat Sheet
OWASP: Top 10 2013-A3: Cross-Site Scripting (XSS)
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')