Client side HTTP parameter pollution

Hi, recently a vulnerability scan was done a security team to our code and application in a staging server. It's returned with a list of finding from high to info and we managed to fixed both high and medium findings.

However, most of the low finding is reported as Client side HTTP parameter pollution (reflected). And to our surprise, some of the path were from Auth::route() such as login, register and forgot password.

The security team were using Burp Suite. Below is one of the details of the finding:

Issue details : The value of the Referer HTTP header is copied into the response within the query string of a URL.
The payload lno&wcs=1 was submitted in the Referer HTTP header. This input was echoed as lno&wcs=1 within the "content" attribute of a "meta" tag.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary query string parameters into URLs in the application's response.

Suggested remediation : Ensure that user input is URL-encoded before it is embedded in a URL.

I'm quite baffle because we're unable to reproduce these report using other tool.

Out applications details : Laravel 9 Apache server 2.4.x Ubuntu 22.x Postgresql database