If they are vulnerable to plain, basic, well-known XSS like this, i wonder what are they using to render the web pages? Because every modern language/framework covers this by default.
is this PHP and they are ignoring the security practices? CGI? nothing else even comes to my mind.
Note that this was found and fixed a number of years ago.
Every team has their own bit IIRC.
Of course, that means that if any one team messes up, the whole thing is vulnerable.