[svenfaw]

To clarify, why is being able to display an alert a massive security flaw in this context?

[retube]

The alert itself is harmless, but demonstrates that arbitrary javascript - which could certainly not be harmless - can be injected into the page.

[mynameismon]

It's not the ability to display alerts that is concerning, but rather, the ability to run untrusted Javascript. This was a proof of concept that showed that it has a serious XSS vulnerability

[seedie]

For detailed information on what XSS is, how it can be exploited and prevented have a look at the OWASP XSS description

https://owasp.org/www-community/attacks/xss