I’m able to modify a parameter in POST request (Using Burp Suite Repeater) and gets the alert in the browser when I “show response in browser”. I have checked my payload in response and it is not getting encoded or escaped so there is an issue with the input validation. When I tried to build HTML forum to create the POST request, I found that, the server checks the referer value and rejects the request if the referer is not correct (Also, it has CSP defined :)). I cannot modify the referer value, hence, it is not possible to generate POC. Basically, I can do the POC only using Burpsuite but not through real world scenario ( HTML form). Is this still considered vulnerability, given that, Referer checking is defending the XSS vulnerability? Anyone has similar case?