Search...

Mail.ru: Stored XSS on http://cards.mail.ru

2014-05-13T12:23:15

ID H1:11927
Type hackerone
Reporter 4lemon
Modified 2014-12-10T19:09:03

Description

Эксперементируя с html редактором на странице отправки открытки http://cards.mail.ru/card/compose.html?cid=7842 был найден вектор, который проходит проверки и остаётся: asdf<br> <iframe src=javascript:alert(2) < В итоге, хранимый xss на страницах http://cards.mail.ru/card/status.html?fcid=acff40d2aad6a1bb49ba650788b0806f и http://cards.mail.ru/card/receive.html?tcid=bef7886ed4771bb6de75d026c0105b6f Последняя ссылка попадает напрямую в почтовый ящик жертвы.

JSON Vulners Source

Initial Source

{"id": "H1:11927", "bulletinFamily": "bugbounty", "title": "Mail.ru: Stored XSS on http://cards.mail.ru", "description": "\u042d\u043a\u0441\u043f\u0435\u0440\u0435\u043c\u0435\u043d\u0442\u0438\u0440\u0443\u044f \u0441 html \u0440\u0435\u0434\u0430\u043a\u0442\u043e\u0440\u043e\u043c \u043d\u0430 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0435 \u043e\u0442\u043f\u0440\u0430\u0432\u043a\u0438 \u043e\u0442\u043a\u0440\u044b\u0442\u043a\u0438 http://cards.mail.ru/card/compose.html?cid=7842\r\n\u0431\u044b\u043b \u043d\u0430\u0439\u0434\u0435\u043d \u0432\u0435\u043a\u0442\u043e\u0440, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043f\u0440\u043e\u0445\u043e\u0434\u0438\u0442 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438 \u0438 \u043e\u0441\u0442\u0430\u0451\u0442\u0441\u044f:\r\nasdf<br>\r\n<iframe src=javascript:alert(2) <\r\n\u0412 \u0438\u0442\u043e\u0433\u0435, \u0445\u0440\u0430\u043d\u0438\u043c\u044b\u0439 xss \u043d\u0430 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0430\u0445\r\nhttp://cards.mail.ru/card/status.html?fcid=acff40d2aad6a1bb49ba650788b0806f\r\n\u0438 \r\nhttp://cards.mail.ru/card/receive.html?tcid=bef7886ed4771bb6de75d026c0105b6f\r\n\u041f\u043e\u0441\u043b\u0435\u0434\u043d\u044f\u044f \u0441\u0441\u044b\u043b\u043a\u0430 \u043f\u043e\u043f\u0430\u0434\u0430\u0435\u0442 \u043d\u0430\u043f\u0440\u044f\u043c\u0443\u044e \u0432 \u043f\u043e\u0447\u0442\u043e\u0432\u044b\u0439 \u044f\u0449\u0438\u043a \u0436\u0435\u0440\u0442\u0432\u044b.", "published": "2014-05-13T12:23:15", "modified": "2014-12-10T19:09:03", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/11927", "reporter": "4lemon", "references": [], "cvelist": [], "type": "hackerone", "lastseen": "2018-11-23T14:56:22", "history": [{"bulletin": {"bounty": 150.0, "bountyState": "resolved", "bulletinFamily": "bugbounty", "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "\u042d\u043a\u0441\u043f\u0435\u0440\u0435\u043c\u0435\u043d\u0442\u0438\u0440\u0443\u044f \u0441 html \u0440\u0435\u0434\u0430\u043a\u0442\u043e\u0440\u043e\u043c \u043d\u0430 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0435 \u043e\u0442\u043f\u0440\u0430\u0432\u043a\u0438 \u043e\u0442\u043a\u0440\u044b\u0442\u043a\u0438 http://cards.mail.ru/card/compose.html?cid=7842\r\n\u0431\u044b\u043b \u043d\u0430\u0439\u0434\u0435\u043d \u0432\u0435\u043a\u0442\u043e\u0440, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043f\u0440\u043e\u0445\u043e\u0434\u0438\u0442 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438 \u0438 \u043e\u0441\u0442\u0430\u0451\u0442\u0441\u044f:\r\nasdf<br>\r\n<iframe src=javascript:alert(2) <\r\n\u0412 \u0438\u0442\u043e\u0433\u0435, \u0445\u0440\u0430\u043d\u0438\u043c\u044b\u0439 xss \u043d\u0430 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0430\u0445\r\nhttp://cards.mail.ru/card/status.html?fcid=acff40d2aad6a1bb49ba650788b0806f\r\n\u0438 \r\nhttp://cards.mail.ru/card/receive.html?tcid=bef7886ed4771bb6de75d026c0105b6f\r\n\u041f\u043e\u0441\u043b\u0435\u0434\u043d\u044f\u044f \u0441\u0441\u044b\u043b\u043a\u0430 \u043f\u043e\u043f\u0430\u0434\u0430\u0435\u0442 \u043d\u0430\u043f\u0440\u044f\u043c\u0443\u044e \u0432 \u043f\u043e\u0447\u0442\u043e\u0432\u044b\u0439 \u044f\u0449\u0438\u043a \u0436\u0435\u0440\u0442\u0432\u044b.", "edition": 4, "enchantments": {"score": {"modified": "2018-02-07T16:57:59", "value": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N/"}}, "h1reporter": {"disabled": false, "hacker_mediation": false, "hackerone_triager": false, "is_me?": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/002/194/e692bb44d384f9a9ff923aa47266566581fb12b1_small.jpg?1468248798"}, "url": "/4lemon", "username": "4lemon"}, "h1team": {"handle": "mailru", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/production/000/000/065/390a2ad469ff2e598d5da551aad5fe9a6b26edd7_medium.png?1397207912", "small": "https://profile-photos.hackerone-user-content.com/production/000/000/065/5d21ab92b4e7aec83bd27fe596736f816c7e59fd_small.png?1397207912"}, "url": "https://hackerone.com/mailru"}, "hash": "7d066ab903f95aac4bb91afb603c076061d2492c5ecd685fb0e98e6a29338351", "hashmap": [{"hash": "e54364c0930b18fc243bb00dc7d08c04", "key": "title"}, {"hash": "b76bb6e5ea62bdf01ca8869830d83930", "key": "description"}, {"hash": "3186f09966e8d00cac61f253234b1c66", "key": "published"}, {"hash": "ec83c92514064cbcd1d6878e7bc2471a", "key": "type"}, {"hash": "bcc6b4cf2763ddaf3b236639bea5d1b7", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "4a6419c64fc1f5526316c2e28e67662e", "key": "modified"}, {"hash": "2337fe5fe7194e8fc688cb72109edbe7", "key": "h1team"}, {"hash": "05ada9a7482161942c43eadd60b0440c", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "099deff746099481291411d7952a6ca3", "key": "reporter"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "096839c32cd629091df7729aa8548221", "key": "h1reporter"}, {"hash": "e77f848ebbae19a99eee74e4d5246ce5", "key": "bounty"}, {"hash": "fafdd4fbb3fee9a56e17d43689f48d18", "key": "bountyState"}], "history": [], "href": "https://hackerone.com/reports/11927", "id": "H1:11927", "lastseen": "2018-02-07T16:57:59", "modified": "2014-12-10T19:09:03", "objectVersion": "1.3", "published": "2014-05-13T12:23:15", "references": [], "reporter": "4lemon", "title": "Mail.Ru: Stored XSS on http://cards.mail.ru", "type": "hackerone", "viewCount": 2}, "differentElements": ["h1team", "h1reporter"], "edition": 4, "lastseen": "2018-02-07T16:57:59"}, {"bulletin": {"bounty": 150.0, "bountyState": "resolved", "bulletinFamily": "bugbounty", "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "\u042d\u043a\u0441\u043f\u0435\u0440\u0435\u043c\u0435\u043d\u0442\u0438\u0440\u0443\u044f \u0441 html \u0440\u0435\u0434\u0430\u043a\u0442\u043e\u0440\u043e\u043c \u043d\u0430 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0435 \u043e\u0442\u043f\u0440\u0430\u0432\u043a\u0438 \u043e\u0442\u043a\u0440\u044b\u0442\u043a\u0438 http://cards.mail.ru/card/compose.html?cid=7842\r\n\u0431\u044b\u043b \u043d\u0430\u0439\u0434\u0435\u043d \u0432\u0435\u043a\u0442\u043e\u0440, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043f\u0440\u043e\u0445\u043e\u0434\u0438\u0442 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438 \u0438 \u043e\u0441\u0442\u0430\u0451\u0442\u0441\u044f:\r\nasdf<br>\r\n<iframe src=javascript:alert(2) <\r\n\u0412 \u0438\u0442\u043e\u0433\u0435, \u0445\u0440\u0430\u043d\u0438\u043c\u044b\u0439 xss \u043d\u0430 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0430\u0445\r\nhttp://cards.mail.ru/card/status.html?fcid=acff40d2aad6a1bb49ba650788b0806f\r\n\u0438 \r\nhttp://cards.mail.ru/card/receive.html?tcid=bef7886ed4771bb6de75d026c0105b6f\r\n\u041f\u043e\u0441\u043b\u0435\u0434\u043d\u044f\u044f \u0441\u0441\u044b\u043b\u043a\u0430 \u043f\u043e\u043f\u0430\u0434\u0430\u0435\u0442 \u043d\u0430\u043f\u0440\u044f\u043c\u0443\u044e \u0432 \u043f\u043e\u0447\u0442\u043e\u0432\u044b\u0439 \u044f\u0449\u0438\u043a \u0436\u0435\u0440\u0442\u0432\u044b.", "edition": 2, "enchantments": {}, "h1reporter": {"disabled": false, "hacker_mediation": false, "is_me?": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/002/194/e692bb44d384f9a9ff923aa47266566581fb12b1_small.jpg?1468248798"}, "url": "/4lemon", "username": "4lemon"}, "h1team": {"handle": "mailru", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/production/000/000/065/390a2ad469ff2e598d5da551aad5fe9a6b26edd7_medium.png?1397207912", "small": "https://profile-photos.hackerone-user-content.com/production/000/000/065/5d21ab92b4e7aec83bd27fe596736f816c7e59fd_small.png?1397207912"}, "url": "https://hackerone.com/mailru"}, "hash": "a56b13f099005d6b2515a6e1226dec58d3069981dce19af47dbe8ac0e934d01a", "hashmap": [{"hash": "e54364c0930b18fc243bb00dc7d08c04", "key": "title"}, {"hash": "b76bb6e5ea62bdf01ca8869830d83930", "key": "description"}, {"hash": "3186f09966e8d00cac61f253234b1c66", "key": "published"}, {"hash": "ec83c92514064cbcd1d6878e7bc2471a", "key": "type"}, {"hash": "bcc6b4cf2763ddaf3b236639bea5d1b7", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "e1c2d6af41064c95597a0e97bc369c28", "key": "h1reporter"}, {"hash": "2337fe5fe7194e8fc688cb72109edbe7", "key": "h1team"}, {"hash": "05ada9a7482161942c43eadd60b0440c", "key": "bulletinFamily"}, {"hash": "fe3f171f649be7d45d9d11d3f5d45695", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "099deff746099481291411d7952a6ca3", "key": "reporter"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "e77f848ebbae19a99eee74e4d5246ce5", "key": "bounty"}, {"hash": "fafdd4fbb3fee9a56e17d43689f48d18", "key": "bountyState"}], "history": [], "href": "https://hackerone.com/reports/11927", "id": "H1:11927", "lastseen": "2017-08-28T23:19:23", "modified": "1970-01-01T00:00:00", "objectVersion": "1.3", "published": "2014-05-13T12:23:15", "references": [], "reporter": "4lemon", "title": "Mail.Ru: Stored XSS on http://cards.mail.ru", "type": "hackerone", "viewCount": 2}, "differentElements": ["modified"], "edition": 2, "lastseen": "2017-08-28T23:19:23"}, {"bulletin": {"bounty": 150.0, "bountyState": "resolved", "bulletinFamily": "bugbounty", "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "\u042d\u043a\u0441\u043f\u0435\u0440\u0435\u043c\u0435\u043d\u0442\u0438\u0440\u0443\u044f \u0441 html \u0440\u0435\u0434\u0430\u043a\u0442\u043e\u0440\u043e\u043c \u043d\u0430 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0435 \u043e\u0442\u043f\u0440\u0430\u0432\u043a\u0438 \u043e\u0442\u043a\u0440\u044b\u0442\u043a\u0438 http://cards.mail.ru/card/compose.html?cid=7842\r\n\u0431\u044b\u043b \u043d\u0430\u0439\u0434\u0435\u043d \u0432\u0435\u043a\u0442\u043e\u0440, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043f\u0440\u043e\u0445\u043e\u0434\u0438\u0442 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438 \u0438 \u043e\u0441\u0442\u0430\u0451\u0442\u0441\u044f:\r\nasdf<br>\r\n<iframe src=javascript:alert(2) <\r\n\u0412 \u0438\u0442\u043e\u0433\u0435, \u0445\u0440\u0430\u043d\u0438\u043c\u044b\u0439 xss \u043d\u0430 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0430\u0445\r\nhttp://cards.mail.ru/card/status.html?fcid=acff40d2aad6a1bb49ba650788b0806f\r\n\u0438 \r\nhttp://cards.mail.ru/card/receive.html?tcid=bef7886ed4771bb6de75d026c0105b6f\r\n\u041f\u043e\u0441\u043b\u0435\u0434\u043d\u044f\u044f \u0441\u0441\u044b\u043b\u043a\u0430 \u043f\u043e\u043f\u0430\u0434\u0430\u0435\u0442 \u043d\u0430\u043f\u0440\u044f\u043c\u0443\u044e \u0432 \u043f\u043e\u0447\u0442\u043e\u0432\u044b\u0439 \u044f\u0449\u0438\u043a \u0436\u0435\u0440\u0442\u0432\u044b.", "edition": 5, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "h1reporter": {"disabled": false, "hacker_mediation": false, "hackerone_triager": false, "is_me?": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/002/194/e692bb44d384f9a9ff923aa47266566581fb12b1_small.jpg?1468248798"}, "url": "/4lemon", "username": "4lemon"}, "h1team": {"handle": "mailru", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/000/000/065/390a2ad469ff2e598d5da551aad5fe9a6b26edd7_medium.png?1397207912", "small": "https://profile-photos.hackerone-user-content.com/000/000/065/5d21ab92b4e7aec83bd27fe596736f816c7e59fd_small.png?1397207912"}, "url": "https://hackerone.com/mailru"}, "hash": "0de4f706624ac093855245ad229d042a270f273706cd7239487af6b8a7ba01fa", "hashmap": [{"hash": "e54364c0930b18fc243bb00dc7d08c04", "key": "title"}, {"hash": "b76bb6e5ea62bdf01ca8869830d83930", "key": "description"}, {"hash": "3186f09966e8d00cac61f253234b1c66", "key": "published"}, {"hash": "ec83c92514064cbcd1d6878e7bc2471a", "key": "type"}, {"hash": "bcc6b4cf2763ddaf3b236639bea5d1b7", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "4a6419c64fc1f5526316c2e28e67662e", "key": "modified"}, {"hash": "05ada9a7482161942c43eadd60b0440c", "key": "bulletinFamily"}, {"hash": "f97c662a8ba9018959a9199faae903f0", "key": "h1reporter"}, {"hash": "33f36b2f4dea8414564ce58ea434cf37", "key": "h1team"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "099deff746099481291411d7952a6ca3", "key": "reporter"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "e77f848ebbae19a99eee74e4d5246ce5", "key": "bounty"}, {"hash": "fafdd4fbb3fee9a56e17d43689f48d18", "key": "bountyState"}], "history": [], "href": "https://hackerone.com/reports/11927", "id": "H1:11927", "lastseen": "2018-04-19T17:34:11", "modified": "2014-12-10T19:09:03", "objectVersion": "1.3", "published": "2014-05-13T12:23:15", "references": [], "reporter": "4lemon", "title": "Mail.Ru: Stored XSS on http://cards.mail.ru", "type": "hackerone", "viewCount": 2}, "differentElements": ["h1team"], "edition": 5, "lastseen": "2018-04-19T17:34:11"}, {"bulletin": {"bounty": 150.0, "bountyState": "resolved", "bulletinFamily": "bugbounty", "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "\u042d\u043a\u0441\u043f\u0435\u0440\u0435\u043c\u0435\u043d\u0442\u0438\u0440\u0443\u044f \u0441 html \u0440\u0435\u0434\u0430\u043a\u0442\u043e\u0440\u043e\u043c \u043d\u0430 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0435 \u043e\u0442\u043f\u0440\u0430\u0432\u043a\u0438 \u043e\u0442\u043a\u0440\u044b\u0442\u043a\u0438 http://cards.mail.ru/card/compose.html?cid=7842\r\n\u0431\u044b\u043b \u043d\u0430\u0439\u0434\u0435\u043d \u0432\u0435\u043a\u0442\u043e\u0440, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043f\u0440\u043e\u0445\u043e\u0434\u0438\u0442 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438 \u0438 \u043e\u0441\u0442\u0430\u0451\u0442\u0441\u044f:\r\nasdf<br>\r\n<iframe src=javascript:alert(2) <\r\n\u0412 \u0438\u0442\u043e\u0433\u0435, \u0445\u0440\u0430\u043d\u0438\u043c\u044b\u0439 xss \u043d\u0430 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0430\u0445\r\nhttp://cards.mail.ru/card/status.html?fcid=acff40d2aad6a1bb49ba650788b0806f\r\n\u0438 \r\nhttp://cards.mail.ru/card/receive.html?tcid=bef7886ed4771bb6de75d026c0105b6f\r\n\u041f\u043e\u0441\u043b\u0435\u0434\u043d\u044f\u044f \u0441\u0441\u044b\u043b\u043a\u0430 \u043f\u043e\u043f\u0430\u0434\u0430\u0435\u0442 \u043d\u0430\u043f\u0440\u044f\u043c\u0443\u044e \u0432 \u043f\u043e\u0447\u0442\u043e\u0432\u044b\u0439 \u044f\u0449\u0438\u043a \u0436\u0435\u0440\u0442\u0432\u044b.", "edition": 6, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "h1reporter": {"disabled": false, "hacker_mediation": false, "hackerone_triager": false, "is_me?": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/002/194/e692bb44d384f9a9ff923aa47266566581fb12b1_small.jpg?1468248798"}, "url": "/4lemon", "username": "4lemon"}, "h1team": {"handle": "mailru", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/000/000/065/07da688e1d8801d35fdb85376bd9d64e424e6dab_medium.png?1542897520", "small": "https://profile-photos.hackerone-user-content.com/000/000/065/b5353ff7c53e16da116c7f4e73cc5687ec7d8809_small.png?1542897520"}, "url": "https://hackerone.com/mailru"}, "hash": "49db243d53ac09085c43172b8685ef1e53ca7227c220221ba7cd2659d64e9a1a", "hashmap": [{"hash": "e54364c0930b18fc243bb00dc7d08c04", "key": "title"}, {"hash": "b76bb6e5ea62bdf01ca8869830d83930", "key": "description"}, {"hash": "3186f09966e8d00cac61f253234b1c66", "key": "published"}, {"hash": "ec83c92514064cbcd1d6878e7bc2471a", "key": "type"}, {"hash": "bcc6b4cf2763ddaf3b236639bea5d1b7", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "4a6419c64fc1f5526316c2e28e67662e", "key": "modified"}, {"hash": "05ada9a7482161942c43eadd60b0440c", "key": "bulletinFamily"}, {"hash": "f97c662a8ba9018959a9199faae903f0", "key": "h1reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "099deff746099481291411d7952a6ca3", "key": "reporter"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "cd72173f2e525ac77a459b535c1c54d9", "key": "h1team"}, {"hash": "e77f848ebbae19a99eee74e4d5246ce5", "key": "bounty"}, {"hash": "fafdd4fbb3fee9a56e17d43689f48d18", "key": "bountyState"}], "history": [], "href": "https://hackerone.com/reports/11927", "id": "H1:11927", "lastseen": "2018-11-22T18:56:27", "modified": "2014-12-10T19:09:03", "objectVersion": "1.3", "published": "2014-05-13T12:23:15", "references": [], "reporter": "4lemon", "title": "Mail.Ru: Stored XSS on http://cards.mail.ru", "type": "hackerone", "viewCount": 2}, "differentElements": ["title"], "edition": 6, "lastseen": "2018-11-22T18:56:27"}, {"bulletin": {"bounty": 150.0, "bountyState": "resolved", "bulletinFamily": "bugbounty", "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "\u042d\u043a\u0441\u043f\u0435\u0440\u0435\u043c\u0435\u043d\u0442\u0438\u0440\u0443\u044f \u0441 html \u0440\u0435\u0434\u0430\u043a\u0442\u043e\u0440\u043e\u043c \u043d\u0430 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0435 \u043e\u0442\u043f\u0440\u0430\u0432\u043a\u0438 \u043e\u0442\u043a\u0440\u044b\u0442\u043a\u0438 http://cards.mail.ru/card/compose.html?cid=7842\r\n\u0431\u044b\u043b \u043d\u0430\u0439\u0434\u0435\u043d \u0432\u0435\u043a\u0442\u043e\u0440, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043f\u0440\u043e\u0445\u043e\u0434\u0438\u0442 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438 \u0438 \u043e\u0441\u0442\u0430\u0451\u0442\u0441\u044f:\r\nasdf<br>\r\n<iframe src=javascript:alert(2) <\r\n\u0412 \u0438\u0442\u043e\u0433\u0435, \u0445\u0440\u0430\u043d\u0438\u043c\u044b\u0439 xss \u043d\u0430 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0430\u0445\r\nhttp://cards.mail.ru/card/status.html?fcid=acff40d2aad6a1bb49ba650788b0806f\r\n\u0438 \r\nhttp://cards.mail.ru/card/receive.html?tcid=bef7886ed4771bb6de75d026c0105b6f\r\n\u041f\u043e\u0441\u043b\u0435\u0434\u043d\u044f\u044f \u0441\u0441\u044b\u043b\u043a\u0430 \u043f\u043e\u043f\u0430\u0434\u0430\u0435\u0442 \u043d\u0430\u043f\u0440\u044f\u043c\u0443\u044e \u0432 \u043f\u043e\u0447\u0442\u043e\u0432\u044b\u0439 \u044f\u0449\u0438\u043a \u0436\u0435\u0440\u0442\u0432\u044b.", "edition": 1, "enchantments": {}, "h1reporter": {"disabled": false, "hacker_mediation": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/002/194/e692bb44d384f9a9ff923aa47266566581fb12b1_small.jpg?1468248798"}, "url": "/4lemon", "username": "4lemon"}, "h1team": {"handle": "mailru", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/production/000/000/065/390a2ad469ff2e598d5da551aad5fe9a6b26edd7_medium.png?1397207912", "small": "https://profile-photos.hackerone-user-content.com/production/000/000/065/5d21ab92b4e7aec83bd27fe596736f816c7e59fd_small.png?1397207912"}, "url": "https://hackerone.com/mailru"}, "hash": "35017a432591f0ca2623171223c4d98997888e4ab9c48059c560249193ce556c", "hashmap": [{"hash": "e54364c0930b18fc243bb00dc7d08c04", "key": "title"}, {"hash": "b76bb6e5ea62bdf01ca8869830d83930", "key": "description"}, {"hash": "3186f09966e8d00cac61f253234b1c66", "key": "published"}, {"hash": "ec83c92514064cbcd1d6878e7bc2471a", "key": "type"}, {"hash": "bcc6b4cf2763ddaf3b236639bea5d1b7", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "2337fe5fe7194e8fc688cb72109edbe7", "key": "h1team"}, {"hash": "05ada9a7482161942c43eadd60b0440c", "key": "bulletinFamily"}, {"hash": "fe3f171f649be7d45d9d11d3f5d45695", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "099deff746099481291411d7952a6ca3", "key": "reporter"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "e77f848ebbae19a99eee74e4d5246ce5", "key": "bounty"}, {"hash": "fafdd4fbb3fee9a56e17d43689f48d18", "key": "bountyState"}, {"hash": "bf320cdfca18e89e5843db4dbd49e6a3", "key": "h1reporter"}], "history": [], "href": "https://hackerone.com/reports/11927", "id": "H1:11927", "lastseen": "2017-08-22T11:09:36", "modified": "1970-01-01T00:00:00", "objectVersion": "1.3", "published": "2014-05-13T12:23:15", "references": [], "reporter": "4lemon", "title": "Mail.Ru: Stored XSS on http://cards.mail.ru", "type": "hackerone", "viewCount": 2}, "differentElements": ["h1reporter"], "edition": 1, "lastseen": "2017-08-22T11:09:36"}, {"bulletin": {"bounty": 150.0, "bountyState": "resolved", "bulletinFamily": "bugbounty", "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "\u042d\u043a\u0441\u043f\u0435\u0440\u0435\u043c\u0435\u043d\u0442\u0438\u0440\u0443\u044f \u0441 html \u0440\u0435\u0434\u0430\u043a\u0442\u043e\u0440\u043e\u043c \u043d\u0430 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0435 \u043e\u0442\u043f\u0440\u0430\u0432\u043a\u0438 \u043e\u0442\u043a\u0440\u044b\u0442\u043a\u0438 http://cards.mail.ru/card/compose.html?cid=7842\r\n\u0431\u044b\u043b \u043d\u0430\u0439\u0434\u0435\u043d \u0432\u0435\u043a\u0442\u043e\u0440, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043f\u0440\u043e\u0445\u043e\u0434\u0438\u0442 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438 \u0438 \u043e\u0441\u0442\u0430\u0451\u0442\u0441\u044f:\r\nasdf<br>\r\n<iframe src=javascript:alert(2) <\r\n\u0412 \u0438\u0442\u043e\u0433\u0435, \u0445\u0440\u0430\u043d\u0438\u043c\u044b\u0439 xss \u043d\u0430 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0430\u0445\r\nhttp://cards.mail.ru/card/status.html?fcid=acff40d2aad6a1bb49ba650788b0806f\r\n\u0438 \r\nhttp://cards.mail.ru/card/receive.html?tcid=bef7886ed4771bb6de75d026c0105b6f\r\n\u041f\u043e\u0441\u043b\u0435\u0434\u043d\u044f\u044f \u0441\u0441\u044b\u043b\u043a\u0430 \u043f\u043e\u043f\u0430\u0434\u0430\u0435\u0442 \u043d\u0430\u043f\u0440\u044f\u043c\u0443\u044e \u0432 \u043f\u043e\u0447\u0442\u043e\u0432\u044b\u0439 \u044f\u0449\u0438\u043a \u0436\u0435\u0440\u0442\u0432\u044b.", "edition": 3, "enchantments": {"score": {"modified": "2017-08-29T13:11:25", "value": 3.3}}, "h1reporter": {"disabled": false, "hacker_mediation": false, "is_me?": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/002/194/e692bb44d384f9a9ff923aa47266566581fb12b1_small.jpg?1468248798"}, "url": "/4lemon", "username": "4lemon"}, "h1team": {"handle": "mailru", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/production/000/000/065/390a2ad469ff2e598d5da551aad5fe9a6b26edd7_medium.png?1397207912", "small": "https://profile-photos.hackerone-user-content.com/production/000/000/065/5d21ab92b4e7aec83bd27fe596736f816c7e59fd_small.png?1397207912"}, "url": "https://hackerone.com/mailru"}, "hash": "10234b387e1f68308782a691bcc06fc027fd6d140f3cd3c2137332b5bc86b4f7", "hashmap": [{"hash": "e54364c0930b18fc243bb00dc7d08c04", "key": "title"}, {"hash": "b76bb6e5ea62bdf01ca8869830d83930", "key": "description"}, {"hash": "3186f09966e8d00cac61f253234b1c66", "key": "published"}, {"hash": "ec83c92514064cbcd1d6878e7bc2471a", "key": "type"}, {"hash": "bcc6b4cf2763ddaf3b236639bea5d1b7", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "e1c2d6af41064c95597a0e97bc369c28", "key": "h1reporter"}, {"hash": "4a6419c64fc1f5526316c2e28e67662e", "key": "modified"}, {"hash": "2337fe5fe7194e8fc688cb72109edbe7", "key": "h1team"}, {"hash": "05ada9a7482161942c43eadd60b0440c", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "099deff746099481291411d7952a6ca3", "key": "reporter"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "e77f848ebbae19a99eee74e4d5246ce5", "key": "bounty"}, {"hash": "fafdd4fbb3fee9a56e17d43689f48d18", "key": "bountyState"}], "history": [], "href": "https://hackerone.com/reports/11927", "id": "H1:11927", "lastseen": "2017-08-29T13:11:25", "modified": "2014-12-10T19:09:03", "objectVersion": "1.3", "published": "2014-05-13T12:23:15", "references": [], "reporter": "4lemon", "title": "Mail.Ru: Stored XSS on http://cards.mail.ru", "type": "hackerone", "viewCount": 2}, "differentElements": ["h1reporter"], "edition": 3, "lastseen": "2017-08-29T13:11:25"}], "edition": 7, "hashmap": [{"key": "bounty", "hash": "e77f848ebbae19a99eee74e4d5246ce5"}, {"key": "bountyState", "hash": "fafdd4fbb3fee9a56e17d43689f48d18"}, {"key": "bulletinFamily", "hash": "05ada9a7482161942c43eadd60b0440c"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "b76bb6e5ea62bdf01ca8869830d83930"}, {"key": "h1reporter", "hash": "f97c662a8ba9018959a9199faae903f0"}, {"key": "h1team", "hash": "cd72173f2e525ac77a459b535c1c54d9"}, {"key": "href", "hash": "bcc6b4cf2763ddaf3b236639bea5d1b7"}, {"key": "modified", "hash": "4a6419c64fc1f5526316c2e28e67662e"}, {"key": "published", "hash": "3186f09966e8d00cac61f253234b1c66"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "099deff746099481291411d7952a6ca3"}, {"key": "title", "hash": "d646e23c8e607f28a84d90efb1dcb27f"}, {"key": "type", "hash": "ec83c92514064cbcd1d6878e7bc2471a"}], "hash": "17b0906db11fd54e12011dac8332d46a4de88a813c3f2eca0d6fe79b9a3b5063", "viewCount": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [], "modified": "2018-11-23T14:56:22"}, "vulnersScore": 5.0}, "objectVersion": "1.3", "bounty": 150.0, "bountyState": "resolved", "h1team": {"handle": "mailru", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/000/000/065/07da688e1d8801d35fdb85376bd9d64e424e6dab_medium.png?1542897520", "small": "https://profile-photos.hackerone-user-content.com/000/000/065/b5353ff7c53e16da116c7f4e73cc5687ec7d8809_small.png?1542897520"}, "url": "https://hackerone.com/mailru"}, "h1reporter": {"disabled": false, "hacker_mediation": false, "hackerone_triager": false, "is_me?": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/002/194/e692bb44d384f9a9ff923aa47266566581fb12b1_small.jpg?1468248798"}, "url": "/4lemon", "username": "4lemon"}}