We can learn the following from this report:

• This was a simple XSS that was identified in a parameter on one domain and executed on another. This report tells us to always look for the response body of the suspected XSS parameter, that way we can be sure where it executes.
• OAuth is a cross-platform authentication parameter, which can also be used to chain vulnerabilities and XSS attacks to other domains.
• There was a cross-origin resource sharing policy defined, which allowed the execution of this XSS to the other domain.