Lucene search

K
openbugbountyDevl00pOBB:1005198
HistoryOct 28, 2019 - 1:21 p.m.

habitat.mit.edu Cross Site Scripting vulnerability

2019-10-2813:21:00
devl00p
www.openbugbounty.org
7

Open Bug Bounty ID: OBB-1005198

Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:

&nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence;
&nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence.

Affected Website: habitat.mit.edu
Open Bug Bounty Program: Create your bounty program now. It’s open and free.
Vulnerable Application: Custom Code
Vulnerability Type: XSS (Cross Site Scripting) / CWE-79
CVSSv3 Score: 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N]
Disclosure Standard: Coordinated Disclosure based on ISO 29147 guidelines
Discovered and Reported by: devl00p
Remediation Guide: OWASP XSS Prevention Cheat Sheet
Export Vulnerability Data: Bugzilla Vulnerability Data
JIRA Vulnerability Data [ Configuration ]
Mantis Vulnerability Data
Splunk Vulnerability Data
XML Vulnerability Data [ XSD ]

Vulnerable URL:

![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAXV0lEQVR4nO2df0zTx//H32KFWsoPsRSQOn6MoDLj0CFBp4apcUoIqc4fSHBqJOqYU0dwQzSOMYfK0DhniCFuwYVsxDhGiCFuaYzrGDOIpNaOVYKmslqZVuRHxbdQeX//uO8u78/7fXd9U6hUucdffV/vffe6173ed33f+93nTeA4jqFQKBQKxQP4jLUBFAqFQnlloXMMhUKhUDwFnWMoFAqF4inoHEOhUCgUT0HnGAqFQqF4CjrHUCgUCsVTeO8cExMTc+PGDdwhRQpe6DQvNIkyHqCBN1Z46Rxz8+bNoaGhN998E3lIkYIXOs0LTaKMB2jgjSEu5pi7d+8GBAQgv+rp6Tly5AjucITU1dVlZGQIDgnGIMHlF6RLsXyErePXOPKipkyZIiWnwIcEkyQy8i6GJj1+/Hjr1q2hoaGRkZGffvrp4ODgSIr1EHwXueGuUaGvry8iIuLWrVsw5bfffps7d66/v/+CBQtu3rz54k16GSFfCxKREgOjOwy+InBELBaLUqmU8hUhpxskJyf/+uuvgsPhVkHIz7KslGzDykMG1jjCoiwWS3BwsJScAh+KyxmuGSN3AjQpIyMjKyvLarWazeZFixYVFBSMpFgPwW/v6Ia3dA4fPpyfn89PCQ8Pr62t7erqKioqSkpKevEmvYyQrwXp8McNJGMVJ96MN66V3b9/v62tLTU1FXk4Kvj5+Y1iaV5YoyecNkKgSU+fPm1paamoqIiMjJwxY8aJEycuXLgw1tZ5I319fdXV1YcOHeInOp3OpKSkKVOmJCUlDQwMjJVtLxGjeC28+HHjFUDSHPP111/HxMRMnTp106ZNPT09DMP09PRER0c7HI4JEyacO3eOf3jixImAgICvvvoqLCxsypQpmzdvfvr0KSjn2rVrixcvDggIiIyMfO+99/7++29kdXV1dStWrJg0aRLyUGwMLHzBggWTJ08ODQ1dt27dvXv3QPqxY8cElghWrvgNQZYjzgMBRR0/fjwmJsbf33/Dhg2PHj3at29faGjo1KlTt27d+uTJE36NhKIYhnn27Nm2bdsCAgKioqI+++yz58+fg/R79+69++67AQEBM2bM+OGHH/hV8y3hr6FBp4FsyO4gOPPJkyc7duwIDQ2dPn36559//vz5c7Hl4jzkXoYmTZ48+Z9//vH39wfp7e3t06ZNW7169VdffQVSbty44efnB+3ZsWPHvn37cA0hNBAXEmIk5iTHEr8XJAYGmdOnT+fn5wvWZ3Jzc9PS0j788MPCwkIYDICx9eHz58/3798fFhbm7++/bt26R48eMZgg2bBhw5dffglPXLBgwblz55DBDww7cuRIaGhoRETEt99+69JpgF9++QV+5g8gyOBEWi6uGvY1zl3ia4RvxrjF9RzjcDgMBkNjY2NTU5PNZisoKGAYJigoyGw2K5VKlmWzs7P5h6tXr3Y4HE1NTc3Nzc3NzS0tLaWlpaCo9PT0LVu2dHR0NDQ0LFq0SC6XI2tEPowhGANoaWnZvn17Z2enyWTSaDS7du0C+Zv/g28JRNAQZDniPGL/NDQ0GAwGm802c+ZMu91uNBqvXr1qsVgKCwvJ1fEpLi7u7+83Go2XLl3S6/VnzpwB6bt27QoMDGxtba2vrxcMKzgETkN2B8GZu3fvttlsLS0tly5dqqurKy8vF1suzgPOxfUyck381q1b+fn5ZWVl6enpOp0OJF68eHFoaOjSpUvgUKfTpaWlkRuCTEeGBBIpOV3Gkji/lMAIFQHSnzx5cuLEieLi4sjIyAMHDsApXKlU3rlzp7Ky8tKlS2+88Qa/xrH1YWlpqU6n0+l0bW1t06ZNa21tZTBBsn79+traWnDW/fv3DQaDVqvFBb/D4TCbzSaTqbKyctGiRQSPAa5du7Zs2bItW7bAFH7gIYMTaTmyan7nit0lvka2bNmybNmy69ev45w2LiAvpVksFoZhent7wWFjY2NsbCz8Cvk8BpzS0dEB0mtqasCqcVdXl0wmQy5odnR0REdHg88Oh0OpVHZ1dYkPCcYIaG9vDw8Px1ki/UkSKIeQB1TR3d0NDhsaGnx8fPr7+6GFcXFxnOSVfZVK5XA4wGeDwZCcnMxxnNPplMvl/FaA5zHiVsDnNGKnIZ2Ac6bT6QQDGTisq6tLSUkR1IjLg+tlQbcCrFZrbGxsdXU1x3E2m02hUIATk5OT8/LysrKyQKWBgYEDAwPkhojTBcCudAmy06XHEuwdKYEBnCAApJeVlWm1Wrvd3t7ePnv27FOnTnEcd/bs2Tlz5nR2dqampq5cuRJYq1arwSlj60O1Wt3S0sJPwQVJf39/YGAgqK68vDwjI4PDBD8wTBw2SI+1tbWtX78+JCSkpKQEFsUPPFxwii1HVu1yiONE8eBwOEpKSkJCQtavX9/W1oZz3avN8J758wcywhwjl8themtrK7wGMjMzExMT8/LyysrKrly5AvM4nU6bzQY+19TULF26FH7FPyQYw3FcS0vL8uXLp02bplKpQkJCgoODcZaQ5xhxOeI8UvzD/e+I43KO6erqYhhG9R8hISHAWpvNJmiFyzlG4DSJToCn22w2X19f+FVbW5t4zMXl4TC9LOhWQEpKChg6AYmJiZcvX+7s7NRoNN3d3Wq12ul0nj17ds2aNeSG4OIN2ZUqHvAsl50+XDdKDAwC8fHxcBSrq6sDoxgcDW02m0qlKikpuXr1amJi4pj7sLu7WyaTOZ1OfhPIQQK6fvny5VVVVbjgH9YjdJlMptVq4bwOEASeODiRliOrljLEIQ3u6urSarUymUxiQ14xZJ6+T+Lz448/Xr9+3WQy2Wy2vLy8hQsXfvPNNwzDTJw4MSIiAuQhLJSR0Wq1OTk5Z86ckcvlVqt15cqV7hk5WuUMF5ZlfXx8mpubZbL/7xQfHzffyBiVNzXdBtnLYpPu379vNBr//PNPmJKWlqbT6e7cuZOenh4UFJSYmKjX6+Eijxsgu9JgMEjM+WIQLPUwDPPw4cPHjx/fuXNn+vTpICU+Pt5msz18+LCrq2vu3LkMw0RERFRWVmq12ubmZv4yzhj6kGGYiRMnSix2/fr1p0+fzs7ObmpqqqmpcTgc0oMf6TGGYYqLi8vKynJzc4uLi19//XXwlSDwxMF5+PDhYVk+XG7fvn3o0CG9Xl9cXOyhKrwd8hTk3n0Mw7uRrK2tRd53GwwGjUYjSHQ6nSqVCt5cCw4Jxjx48ID/M8FgMID7GKQlhPsYZDniU6T4h8P8qiX8NFMqleJ7dsFaWW1tLSizt7fXx8cHLnY1NDSAdLHTJDoBWj6StTIBoJcFJsESBCmNjY3JyckZGRn19fUcx5WXl+/evTs8PBzc4xIagkzHdaUYKZ2OqwXXC9LvY5ArP+AHB/RPbW1tSkoKiAT+ksv27dsZhjGZTGPuQ47j1Gq1wWDgpxCChGXZkJCQkydPghssDhP8yIsFt1bGcZzdbt+7d69Sqdy5cycnuhYEwCFIbDmyailDnOCsnTt3KpXKvLw8u92OtGE84P4c43A4ZDIZjHh4CDpg7dq1VqvVZDIlJiYWFRVxHNfa2rpy5crLly/b7faOjo6cnJz09HRYMlgk1ev1s2fPhomCQ/J1q1ary8vLu7u729ratFotnGPElojXTPkNEZcjzoP7s4uUOQZXFMdxO3fuTElJAT+ySktLi4uLQbpWq+W3AlaRnJyck5PT2dnZ1ta2aNEikC52mhQnCCzPycnJyMjo6OgwmUzz5s0DyxoCy5F5kL0sMAmCXBlXq9Ug3Wq1BgYGwoUgQkOQ6biuRILM2dvbK5PJzGaz0+kk1ILshZGvlWm12pUrV1osFqPRmJCQ8N1333Ecl5ubu3DhQpPJZLfbKysrVSpVeHj4wYMHvcGHJSUlycnJRqPRarXu2rVLr9dzmCABZGVlBQYGnj9/Hhwig39Ya2UQi8WSnZ3Nia4F3BCEtNzlHIN0l+Aayc7Otlgsw7X/FcP9OYbjuKKiIoVCUVlZyT88fvy4Uqk8evSoWq0ODg5+//33waPOgYGBoqKi+Ph4X19ftVqdnZ3d2dkpqCU/P7+wsBCWLzgkG6PX65OSkuRyeXh4eF5eHphjlEplaWmpwBJx9PAbIi5HkIdwUyJljsEVxXEcy7J79+7VaDQKhSItLQ3+/rJarStWrFAqlfHx8WVlZbCK9vb2pUuXKpXKhISEU6dOgXSk08TdQbbc4XBs375dpVJpNJqioiK4Ws13FDIPspcFJiFrBGRlZa1duxYeJiUlwRPJDRGnE7pSDC5nQUEBv6fEsYTrhZHPMXa7PSsrKyQk5LXXXjt69ChIZFm2oKAgOjpaLpfPmzevqqrqzp07CoUCDItj60On0/nJJ5+oVCq5XA7eVuDwgcRxXG1trVKphBUhg9+9OQYiCDzcEIS0nDzH4NzFiUZFios5xg1GEhbx8fFXr17FHVKkIHDaCK/SUWFU+lHiciWFwHjzoYcGkFfVXR7ihT7zdwlfl0l8SJGCFzrNC02ijAdo4HkD3qgl453cuHHjgw8+ECSOc8HwmJiY69evb9y48d9//5V+ynj2GIUy3qBzjFS2bNkSHR3NTxnnguGg+W+99Zavr29+fr70U8atxyiUcYibc0xfX9+ePXuioqImT548Y8aMY8eOQa2LqKiovr4+Qf67d+9O4DF9+vT9+/cPDg6K5Z5gnokTJ8bExHzxxRegZLdFs91WZefX+OjRI6PRuHfvXn4G9/6GQhDnF3hpwoQJq1at4mcQK72L0wXt5XfH48ePN23aNHXqVImK+rdu3Vq1alVQUFBYWNi2bdv4gmYMr/l79+6FEiZkXHrs3Llzs2bNmjx58qxZs8B/p5ANAYCWIuMNMgEFwYCXSDlfytYDgmDD+cpiscTFxb0UrR4Tnj17tnHjRuhhcshRhLj3GGft2rVardZsNj948ECn06WmpjY1NRHyg6dkLMuyLAtUiVJSUsA7l2KZfZgNSEqM5C3G0ToRWYh7guGEd4r4zQcMDAzwM4iV3sXphPZqtVqgqN/a2pqSkgJfuMQRGxubk5Njs9msVmtWVlZmZib/W9h86R4me6yiokKj0Vy8eNFut1+5ciUuLg6+vY1ESr3AjWazOTg4GHqVkP8lUs4Xv5SIzCNlJ4iXqNUvHpZlU1NT165dS5/zu4c7c0x/f79MJhNoNpARDwcNDQ0zZ86Uki0hIQH5ldtVu3GiuBCbzRYcHCyYAyQWS55jcCf29vbOnj0b/t0Pl44rhGVZfq9Bx+JgWfbkyZOwWKPRyP/PLL/5Ej3s0mMajYY/A7W0tCgUCig8JUZ6z0ocajmOU6lU4D99Fy9enDNnjpRTxgopzZfY8Jeo1S8ei8Vy+PBh+i6Z2wxvrQxIVQ8NDTEMA1UfBCCFssXI5XKWZV0uZMnlcqfTKVE0W4oOuUQJcbIIP8MTDHcpqM5gxPnFCuc//fTT0NDQnj17wsLCwsLCPv74Y7gCyWCU3gnpDMP89ddfU6dO/f333xmGYVl2aGjI19cXOra/v5/BC5X7+fnt2bMHFDs4OFhVVbV06VJx88WVQgR9RJZY7+npsVqt/E0+5s6de+XKFfCZrPFO3r/ApWF83FbO37Fjh0e3HiBvisG/jpDBxuB3jvDaVjOYrQFwI4w4nbzzgsQtA6Kiog4cOEDIQCEjdY7hK2b7+/unpaVlZmb+8ccf4m0wcELZfHp6eoqKilxqKD18+PDgwYNarVaiaLYUHXKJEuJkEX6G92hBiqA6UpxfrHC+YsWK/v5+pVJpMpkaGxt1Ot3JkydBBpzSOy4dOHnNmjVHjx5dvHgxwzBBQUHz5s0rLCwcHBzs6+sDqyKw7Uhdd8DPP/+sUCiampoqKirEzUci1ldnXEmsOxwOuVwumLTmz58Pt5khCK27bIIAguK60l3l/HfeecdzsvkSN8UA4HaCwEW+17aawWwNgBthpIw8kOFuGUBxH5d3OkjF7N7e3oKCgvj4eJlMFhcXx/8HL0EoG+qq+vr6ZmVlORwO8d+hYbaQkBC5XL5z506w0CwWgCGLZuNk+aVLiBPWyviC4S4F1XHi/GKFc5Zl+X8Zq62tBeZxGKV3ZDo0NS0tLTc3l9+i1tbWxMREX19fhULBMAx8msIQdd37+/uBJseZM2fEzRc4BxktnASJdfJaBLmDXDZBrGKADJ6RKOe3t7cjbXBpG4Agm49TpEfGJy7YOEzke22rObzcGXKEQabj1BaQ4USQQRMXRZGO6zkGqZgNYVm2sbERPsAnCGUrFArQc5WVleHh4ThFE5jNZrPxy0H2sUA026VC+7AkxAlzjEAwnCyojhPn50QK5wIDzGYzvAKRSu/IdGBqYWGhj48PELkS0N3dfeLECb6KH06onE99ff28efOQzec7BxctLiXWrVYr3wwB5A5y2QTkYwmx4vpIlPNxNhBsQ4Yrh1LOR26XgIxPXLDhIt+bW43cGgA3wiDTCXPMcCcMOse4jeu1suLiYr1en5ube/v2bfG3fn5+CxYsOHXq1Pnz52EiUijbx8cnMjIyMjJy8+bNKpXq7NmzyOpgtoiICLLg9u3bt4GAHRTN1mq1S5Ys0ev1BoOhvr5efArUzzcYDAaDwWg04lTKyQhWioCg+sWLF4crqA6Wyx4/ftzU1IRcegKPvpBK74T0/v7+mpqa6urqgoICwQvHDMMoFIqTJ08KdokXMzg4eO3aNXgYGxsLChc3nw8uWsQS6+Dn88DAQF5e3kcffQSWJQWvU1+/fl3KnsRuIA4esXL+oUOHSktLxcr5bnQ0Ely4GniAFLG7hlsXLvK9udUEcCPDSCT66VqZp5AyEQkUszmOE7zto9fr4S6KUoSyq6urNRoNy7LiHxq4HwuCr8Si2RJl+aVLiOPuY8SC4WRBdZw4PydSONfpdPzfjzU1NWBBA6n0jku3WCwymay1tZXjuPT09F27dgnaVVFRAe9IONGyBhQqB++hwfWEuro6uC+noPkC74mjRaLEukaj0el0MN1kMsH3ylzexyCbwM/Jv49BKq6PUDkfZwMufViy+Uh3SVkr4wcbMvK9udWEtTLxCINMl7jzAoCulXmIYby7bPlPMdtsNqvV6oqKCpvN1t3dDRbrS0pKQDaJQtkJCQlnzpyRPsdIEc12qdDODUdCnF9jR0cHvPdHKtUTBNU5vDg/978K593d3SqV6tChQ3a7vaWlhf/cBan0jkznt8VsNsvlcqPRCKtzOp2xsbF1dXV8nzMYofL09PTMzEyr1WowGBISEsrLy5HNb29vF48UMFrEp+Ak1vn/j9Hr9QkJCYcPH4aluZxjkE2AOfkW4hTXR6Kcj7OBYJtE2XycuwRbD0D/4IINt3OEd7YagNwaADnC4NKl7LwgBTrHuI2b/8Gsr69PTU0NDAxUKBRz5sypqKiAX0kUyq6qqoqOjm5vb5c4x3ASRLNdKrRzw5QQhzWyLAt/7iGV6gmC6hxenJ8TKZyDbQ2VSmVsbGxpaSnMhlR6R6YL2rJ79+4lS5bAw++//55/EwPzI4XKHzx4kJmZGRwcrNFo4HAvbv6FCxfIf6qQKLHOcVxlZeXMmTPlcnl8fDx/rxGXcwxBa52T/DeRkSjn42wg2CZRNp/gLsHWAyARF2y4nSO8s9UA5NYAyBEGly5l5wUp0DnGbUZf2/9VZffu3eCp9Su248BwLx5B81mWjY6OPnv2rPRTRh1vuP5xNniDbZ5jfLaaMiy8S9vfmykrKwNPI8e5YLig+X5+flVVVW+//bb0UygUyviB6i5LZdKkSfPnzx9rK7wR8gRDoVDGM3SOoVAoFIqnmMBx3FjbQKFQKJRXE3ofQ6FQKBRPQecYCoVCoXgKOsdQKBQKxVPQOYZCoVAonoLOMRQKhULxFHSOoVAoFIqnoHMMhUKhUDwFnWMoFAqF4inoHEOhUCgUT0HnGAqFQqF4CjrHUCgUCsVT0DmGQqFQKJ6CzjEUCoVC8RR0jqFQKBSKp6BzDIVCoVA8xf8BBr4p5zqb0PoAAAAASUVORK5CYII=)

Screenshot: habitat.mit.edu  vulnerability

Mirror: Click here to view the mirror

Coordinated Disclosure Timeline

Vulnerability Reported: 28 October, 2019 13:21 GMT
Vulnerability Verified: 28 October, 2019 13:35 GMT
Website Operator Notified: 28 October, 2019 13:35 GMT
a. Using the ISO 29147 guidelines
β€” β€”
b. Using publicly available security contacts
c. Using Open Bug Bounty notification framework
d. Using security contacts provided by the researcher
Public Report Published
[without any technical details]: 28 October, 2019 13:35 GMT
Additional notification email sent: 4 January, 2020 10:23 GMT