habitat.mit.edu Cross Site Scripting vulnerability

2019-10-28T13:21:00

Description

Open Bug Bounty ID: OBB-1005198 Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[habitat.mit.edu](<https://habitat.mit.edu>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[XSS (Cross Site Scripting)](<https://www.owasp.org/index.php/Cross-site_Scripting_\(XSS\)>)** / CWE-79 CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **devl00p ** Remediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAXV0lEQVR4nO2df0zTx//H32KFWsoPsRSQOn6MoDLj0CFBp4apcUoIqc4fSHBqJOqYU0dwQzSOMYfK0DhniCFuwYVsxDhGiCFuaYzrGDOIpNaOVYKmslqZVuRHxbdQeX//uO8u78/7fXd9U6hUucdffV/vffe6173ed33f+93nTeA4jqFQKBQKxQP4jLUBFAqFQnlloXMMhUKhUDwFnWMoFAqF4inoHEOhUCgUT0HnGAqFQqF4CjrHUCgUCsVTeO8cExMTc+PGDdwhRQpe6DQvNIkyHqCBN1Z46Rxz8+bNoaGhN998E3lIkYIXOs0LTaKMB2jgjSEu5pi7d+8GBAQgv+rp6Tly5AjucITU1dVlZGQIDgnGIMHlF6RLsXyErePXOPKipkyZIiWnwIcEkyQy8i6GJj1+/Hjr1q2hoaGRkZGffvrp4ODgSIr1EHwXueGuUaGvry8iIuLWrVsw5bfffps7d66/v/+CBQtu3rz54k16GSFfCxKREgOjOwy+InBELBaLUqmU8hUhpxskJyf/+uuvgsPhVkHIz7KslGzDykMG1jjCoiwWS3BwsJScAh+KyxmuGSN3AjQpIyMjKyvLarWazeZFixYVFBSMpFgPwW/v6Ia3dA4fPpyfn89PCQ8Pr62t7erqKioqSkpKevEmvYyQrwXp8McNJGMVJ96MN66V3b9/v62tLTU1FXk4Kvj5+Y1iaV5YoyecNkKgSU+fPm1paamoqIiMjJwxY8aJEycuXLgw1tZ5I319fdXV1YcOHeInOp3OpKSkKVOmJCUlDQwMjJVtLxGjeC28+HHjFUDSHPP111/HxMRMnTp106ZNPT09DMP09PRER0c7HI4JEyacO3eOf3jixImAgICvvvoqLCxsypQpmzdvfvr0KSjn2rVrixcvDggIiIyMfO+99/7++29kdXV1dStWrJg0aRLyUGwMLHzBggWTJ08ODQ1dt27dvXv3QPqxY8cElghWrvgNQZYjzgMBRR0/fjwmJsbf33/Dhg2PHj3at29faGjo1KlTt27d+uTJE36NhKIYhnn27Nm2bdsCAgKioqI+++yz58+fg/R79+69++67AQEBM2bM+OGHH/hV8y3hr6FBp4FsyO4gOPPJkyc7duwIDQ2dPn36559//vz5c7Hl4jzkXoYmTZ48+Z9//vH39wfp7e3t06ZNW7169VdffQVSbty44efnB+3ZsWPHvn37cA0hNBAXEmIk5iTHEr8XJAYGmdOnT+fn5wvWZ3Jzc9PS0j788MPCwkIYDICx9eHz58/3798fFhbm7++/bt26R48eMZgg2bBhw5dffglPXLBgwblz55DBDww7cuRIaGhoRETEt99+69JpgF9++QV+5g8gyOBEWi6uGvY1zl3ia4RvxrjF9RzjcDgMBkNjY2NTU5PNZisoKGAYJigoyGw2K5VKlmWzs7P5h6tXr3Y4HE1NTc3Nzc3NzS0tLaWlpaCo9PT0LVu2dHR0NDQ0LFq0SC6XI2tEPowhGANoaWnZvn17Z2enyWTSaDS7du0C+Zv/g28JRNAQZDniPGL/NDQ0GAwGm802c+ZMu91uNBqvXr1qsVgKCwvJ1fEpLi7u7+83Go2XLl3S6/VnzpwB6bt27QoMDGxtba2vrxcMKzgETkN2B8GZu3fvttlsLS0tly5dqqurKy8vF1suzgPOxfUyck381q1b+fn5ZWVl6enpOp0OJF68eHFoaOjSpUvgUKfTpaWlkRuCTEeGBBIpOV3Gkji/lMAIFQHSnzx5cuLEieLi4sjIyAMHDsApXKlU3rlzp7Ky8tKlS2+88Qa/xrH1YWlpqU6n0+l0bW1t06ZNa21tZTBBsn79+traWnDW/fv3DQaDVqvFBb/D4TCbzSaTqbKyctGiRQSPAa5du7Zs2bItW7bAFH7gIYMTaTmyan7nit0lvka2bNmybNmy69ev45w2LiAvpVksFoZhent7wWFjY2NsbCz8Cvk8BpzS0dEB0mtqasCqcVdXl0wmQy5odnR0REdHg88Oh0OpVHZ1dYkPCcYIaG9vDw8Px1ki/UkSKIeQB1TR3d0NDhsaGnx8fPr7+6GFcXFxnOSVfZVK5XA4wGeDwZCcnMxxnNPplMvl/FaA5zHiVsDnNGKnIZ2Ac6bT6QQDGTisq6tLSUkR1IjLg+tlQbcCrFZrbGxsdXU1x3E2m02hUIATk5OT8/LysrKyQKWBgYEDAwPkhojTBcCudAmy06XHEuwdKYEBnCAApJeVlWm1Wrvd3t7ePnv27FOnTnEcd/bs2Tlz5nR2dqampq5cuRJYq1arwSlj60O1Wt3S0sJPwQVJf39/YGAgqK68vDwjI4PDBD8wTBw2SI+1tbWtX78+JCSkpKQEFsUPPFxwii1HVu1yiONE8eBwOEpKSkJCQtavX9/W1oZz3avN8J758wcywhwjl8themtrK7wGMjMzExMT8/LyysrKrly5AvM4nU6bzQY+19TULF26FH7FPyQYw3FcS0vL8uXLp02bplKpQkJCgoODcZaQ5xhxOeI8UvzD/e+I43KO6erqYhhG9R8hISHAWpvNJmiFyzlG4DSJToCn22w2X19f+FVbW5t4zMXl4TC9LOhWQEpKChg6AYmJiZcvX+7s7NRoNN3d3Wq12ul0nj17ds2aNeSG4OIN2ZUqHvAsl50+XDdKDAwC8fHxcBSrq6sDoxgcDW02m0qlKikpuXr1amJi4pj7sLu7WyaTOZ1OfhPIQQK6fvny5VVVVbjgH9YjdJlMptVq4bwOEASeODiRliOrljLEIQ3u6urSarUymUxiQ14xZJ6+T+Lz448/Xr9+3WQy2Wy2vLy8hQsXfvPNNwzDTJw4MSIiAuQhLJSR0Wq1OTk5Z86ckcvlVqt15cqV7hk5WuUMF5ZlfXx8mpubZbL/7xQfHzffyBiVNzXdBtnLYpPu379vNBr//PNPmJKWlqbT6e7cuZOenh4UFJSYmKjX6+Eijxsgu9JgMEjM+WIQLPUwDPPw4cPHjx/fuXNn+vTpICU+Pt5msz18+LCrq2vu3LkMw0RERFRWVmq12ubmZv4yzhj6kGGYiRMnSix2/fr1p0+fzs7ObmpqqqmpcTgc0oMf6TGGYYqLi8vKynJzc4uLi19//XXwlSDwxMF5+PDhYVk+XG7fvn3o0CG9Xl9cXOyhKrwd8hTk3n0Mw7uRrK2tRd53GwwGjUYjSHQ6nSqVCt5cCw4Jxjx48ID/M8FgMID7GKQlhPsYZDniU6T4h8P8qiX8NFMqleJ7dsFaWW1tLSizt7fXx8cHLnY1NDSAdLHTJDoBWj6StTIBoJcFJsESBCmNjY3JyckZGRn19fUcx5WXl+/evTs8PBzc4xIagkzHdaUYKZ2OqwXXC9LvY5ArP+AHB/RPbW1tSkoKiAT+ksv27dsZhjGZTGPuQ47j1Gq1wWDgpxCChGXZkJCQkydPghssDhP8yIsFt1bGcZzdbt+7d69Sqdy5cycnuhYEwCFIbDmyailDnOCsnTt3KpXKvLw8u92OtGE84P4c43A4ZDIZjHh4CDpg7dq1VqvVZDIlJiYWFRVxHNfa2rpy5crLly/b7faOjo6cnJz09HRYMlgk1ev1s2fPhomCQ/J1q1ary8vLu7u729ratFotnGPElojXTPkNEZcjzoP7s4uUOQZXFMdxO3fuTElJAT+ySktLi4uLQbpWq+W3AlaRnJyck5PT2dnZ1ta2aNEikC52mhQnCCzPycnJyMjo6OgwmUzz5s0DyxoCy5F5kL0sMAmCXBlXq9Ug3Wq1BgYGwoUgQkOQ6biuRILM2dvbK5PJzGaz0+kk1ILshZGvlWm12pUrV1osFqPRmJCQ8N1333Ecl5ubu3DhQpPJZLfbKysrVSpVeHj4wYMHvcGHJSUlycnJRqPRarXu2rVLr9dzmCABZGVlBQYGnj9/Hhwig39Ya2UQi8WSnZ3Nia4F3BCEtNzlHIN0l+Aayc7Otlgsw7X/FcP9OYbjuKKiIoVCUVlZyT88fvy4Uqk8evSoWq0ODg5+//33waPOgYGBoqKi+Ph4X19ftVqdnZ3d2dkpqCU/P7+wsBCWLzgkG6PX65OSkuRyeXh4eF5eHphjlEplaWmpwBJx9PAbIi5HkIdwUyJljsEVxXEcy7J79+7VaDQKhSItLQ3+/rJarStWrFAqlfHx8WVlZbCK9vb2pUuXKpXKhISEU6dOgXSk08TdQbbc4XBs375dpVJpNJqioiK4Ws13FDIPspcFJiFrBGRlZa1duxYeJiUlwRPJDRGnE7pSDC5nQUEBv6fEsYTrhZHPMXa7PSsrKyQk5LXXXjt69ChIZFm2oKAgOjpaLpfPmzevqqrqzp07CoUCDItj60On0/nJJ5+oVCq5XA7eVuDwgcRxXG1trVKphBUhg9+9OQYiCDzcEIS0nDzH4NzFiUZFios5xg1GEhbx8fFXr17FHVKkIHDaCK/SUWFU+lHiciWFwHjzoYcGkFfVXR7ihT7zdwlfl0l8SJGCFzrNC02ijAdo4HkD3qgl453cuHHjgw8+ECSOc8HwmJiY69evb9y48d9//5V+ynj2GIUy3qBzjFS2bNkSHR3NTxnnguGg+W+99Zavr29+fr70U8atxyiUcYibc0xfX9+ePXuioqImT548Y8aMY8eOQa2LqKiovr4+Qf67d+9O4DF9+vT9+/cPDg6K5Z5gnokTJ8bExHzxxRegZLdFs91WZefX+OjRI6PRuHfvXn4G9/6GQhDnF3hpwoQJq1at4mcQK72L0wXt5XfH48ePN23aNHXqVImK+rdu3Vq1alVQUFBYWNi2bdv4gmYMr/l79+6FEiZkXHrs3Llzs2bNmjx58qxZs8B/p5ANAYCWIuMNMgEFwYCXSDlfytYDgmDD+cpiscTFxb0UrR4Tnj17tnHjRuhhcshRhLj3GGft2rVardZsNj948ECn06WmpjY1NRHyg6dkLMuyLAtUiVJSUsA7l2KZfZgNSEqM5C3G0ToRWYh7guGEd4r4zQcMDAzwM4iV3sXphPZqtVqgqN/a2pqSkgJfuMQRGxubk5Njs9msVmtWVlZmZib/W9h86R4me6yiokKj0Vy8eNFut1+5ciUuLg6+vY1ESr3AjWazOTg4GHqVkP8lUs4Xv5SIzCNlJ4iXqNUvHpZlU1NT165dS5/zu4c7c0x/f79MJhNoNpARDwcNDQ0zZ86Uki0hIQH5ldtVu3GiuBCbzRYcHCyYAyQWS55jcCf29vbOnj0b/t0Pl44rhGVZfq9Bx+JgWfbkyZOwWKPRyP/PLL/5Ej3s0mMajYY/A7W0tCgUCig8JUZ6z0ocajmOU6lU4D99Fy9enDNnjpRTxgopzZfY8Jeo1S8ei8Vy+PBh+i6Z2wxvrQxIVQ8NDTEMA1UfBCCFssXI5XKWZV0uZMnlcqfTKVE0W4oOuUQJcbIIP8MTDHcpqM5gxPnFCuc//fTT0NDQnj17wsLCwsLCPv74Y7gCyWCU3gnpDMP89ddfU6dO/f333xmGYVl2aGjI19cXOra/v5/BC5X7+fnt2bMHFDs4OFhVVbV06VJx88WVQgR9RJZY7+npsVqt/E0+5s6de+XKFfCZrPFO3r/ApWF83FbO37Fjh0e3HiBvisG/jpDBxuB3jvDaVjOYrQFwI4w4nbzzgsQtA6Kiog4cOEDIQCEjdY7hK2b7+/unpaVlZmb+8ccf4m0wcELZfHp6eoqKilxqKD18+PDgwYNarVaiaLYUHXKJEuJkEX6G92hBiqA6UpxfrHC+YsWK/v5+pVJpMpkaGxt1Ot3JkydBBpzSOy4dOHnNmjVHjx5dvHgxwzBBQUHz5s0rLCwcHBzs6+sDqyKw7Uhdd8DPP/+sUCiampoqKirEzUci1ldnXEmsOxwOuVwumLTmz58Pt5khCK27bIIAguK60l3l/HfeecdzsvkSN8UA4HaCwEW+17aawWwNgBthpIw8kOFuGUBxH5d3OkjF7N7e3oKCgvj4eJlMFhcXx/8HL0EoG+qq+vr6ZmVlORwO8d+hYbaQkBC5XL5z506w0CwWgCGLZuNk+aVLiBPWyviC4S4F1XHi/GKFc5Zl+X8Zq62tBeZxGKV3ZDo0NS0tLTc3l9+i1tbWxMREX19fhULBMAx8msIQdd37+/uBJseZM2fEzRc4BxktnASJdfJaBLmDXDZBrGKADJ6RKOe3t7cjbXBpG4Agm49TpEfGJy7YOEzke22rObzcGXKEQabj1BaQ4USQQRMXRZGO6zkGqZgNYVm2sbERPsAnCGUrFArQc5WVleHh4ThFE5jNZrPxy0H2sUA026VC+7AkxAlzjEAwnCyojhPn50QK5wIDzGYzvAKRSu/IdGBqYWGhj48PELkS0N3dfeLECb6KH06onE99ff28efOQzec7BxctLiXWrVYr3wwB5A5y2QTkYwmx4vpIlPNxNhBsQ4Yrh1LOR26XgIxPXLDhIt+bW43cGgA3wiDTCXPMcCcMOse4jeu1suLiYr1en5ube/v2bfG3fn5+CxYsOHXq1Pnz52EiUijbx8cnMjIyMjJy8+bNKpXq7NmzyOpgtoiICLLg9u3bt4GAHRTN1mq1S5Ys0ev1BoOhvr5efArUzzcYDAaDwWg04lTKyQhWioCg+sWLF4crqA6Wyx4/ftzU1IRcegKPvpBK74T0/v7+mpqa6urqgoICwQvHDMMoFIqTJ08KdokXMzg4eO3aNXgYGxsLChc3nw8uWsQS6+Dn88DAQF5e3kcffQSWJQWvU1+/fl3KnsRuIA4esXL+oUOHSktLxcr5bnQ0Ely4GniAFLG7hlsXLvK9udUEcCPDSCT66VqZp5AyEQkUszmOE7zto9fr4S6KUoSyq6urNRoNy7LiHxq4HwuCr8Si2RJl+aVLiOPuY8SC4WRBdZw4PydSONfpdPzfjzU1NWBBA6n0jku3WCwymay1tZXjuPT09F27dgnaVVFRAe9IONGyBhQqB++hwfWEuro6uC+noPkC74mjRaLEukaj0el0MN1kMsH3ylzexyCbwM/Jv49BKq6PUDkfZwMufViy+Uh3SVkr4wcbMvK9udWEtTLxCINMl7jzAoCulXmIYby7bPlPMdtsNqvV6oqKCpvN1t3dDRbrS0pKQDaJQtkJCQlnzpyRPsdIEc12qdDODUdCnF9jR0cHvPdHKtUTBNU5vDg/978K593d3SqV6tChQ3a7vaWlhf/cBan0jkznt8VsNsvlcqPRCKtzOp2xsbF1dXV8nzMYofL09PTMzEyr1WowGBISEsrLy5HNb29vF48UMFrEp+Ak1vn/j9Hr9QkJCYcPH4aluZxjkE2AOfkW4hTXR6Kcj7OBYJtE2XycuwRbD0D/4IINt3OEd7YagNwaADnC4NKl7LwgBTrHuI2b/8Gsr69PTU0NDAxUKBRz5sypqKiAX0kUyq6qqoqOjm5vb5c4x3ASRLNdKrRzw5QQhzWyLAt/7iGV6gmC6hxenJ8TKZyDbQ2VSmVsbGxpaSnMhlR6R6YL2rJ79+4lS5bAw++//55/EwPzI4XKHzx4kJmZGRwcrNFo4HAvbv6FCxfIf6qQKLHOcVxlZeXMmTPlcnl8fDx/rxGXcwxBa52T/DeRkSjn42wg2CZRNp/gLsHWAyARF2y4nSO8s9UA5NYAyBEGly5l5wUp0DnGbUZf2/9VZffu3eCp9Su248BwLx5B81mWjY6OPnv2rPRTRh1vuP5xNniDbZ5jfLaaMiy8S9vfmykrKwNPI8e5YLig+X5+flVVVW+//bb0UygUyviB6i5LZdKkSfPnzx9rK7wR8gRDoVDGM3SOoVAoFIqnmMBx3FjbQKFQKJRXE3ofQ6FQKBRPQecYCoVCoXgKOsdQKBQKxVPQOYZCoVAonoLOMRQKhULxFHSOoVAoFIqnoHMMhUKhUDwFnWMoFAqF4inoHEOhUCgUT0HnGAqFQqF4CjrHUCgUCsVT0DmGQqFQKJ6CzjEUCoVC8RR0jqFQKBSKp6BzDIVCoVA8xf8BBr4p5zqb0PoAAAAASUVORK5CYII=) --- **Screenshot:** ![habitat.mit.edu vulnerability](/twimages/screen-1005198.jpg) **Mirror:** [Click here to view the mirror](<http://1005198.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 28 October, 2019 13:21 GMT ---|--- Vulnerability Verified:| 28 October, 2019 13:35 GMT Website Operator Notified:| 28 October, 2019 13:35 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 28 October, 2019 13:35 GMT Additional notification email sent:| 4 January, 2020 10:23 GMT

{"id": "OBB:1005198", "type": "openbugbounty", "bulletinFamily": "bugbounty", "title": "habitat.mit.edu Cross Site Scripting vulnerability ", "description": " \n\n\nOpen Bug Bounty ID: OBB-1005198\n\nFollowing coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: \n\n&nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; \n&nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence.\n\nAffected Website:| **[habitat.mit.edu](<https://habitat.mit.edu>) ** \n---|--- \nOpen Bug Bounty Program:| **Create your bounty program now**. It's open and free. \nVulnerable Application:| Custom Code \nVulnerability Type:| **[XSS (Cross Site Scripting)](<https://www.owasp.org/index.php/Cross-site_Scripting_\\(XSS\\)>)** / CWE-79 \nCVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] \nDisclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines \nDiscovered and Reported by:| **devl00p ** \nRemediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md>)** \nExport Vulnerability Data:| Bugzilla Vulnerability Data \nJIRA Vulnerability Data [ Configuration ] \nMantis Vulnerability Data \nSplunk Vulnerability Data \nXML Vulnerability Data [ XSD ] \n \nVulnerable URL:\n\n![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAXV0lEQVR4nO2df0zTx//H32KFWsoPsRSQOn6MoDLj0CFBp4apcUoIqc4fSHBqJOqYU0dwQzSOMYfK0DhniCFuwYVsxDhGiCFuaYzrGDOIpNaOVYKmslqZVuRHxbdQeX//uO8u78/7fXd9U6hUucdffV/vffe6173ed33f+93nTeA4jqFQKBQKxQP4jLUBFAqFQnlloXMMhUKhUDwFnWMoFAqF4inoHEOhUCgUT0HnGAqFQqF4CjrHUCgUCsVTeO8cExMTc+PGDdwhRQpe6DQvNIkyHqCBN1Z46Rxz8+bNoaGhN998E3lIkYIXOs0LTaKMB2jgjSEu5pi7d+8GBAQgv+rp6Tly5AjucITU1dVlZGQIDgnGIMHlF6RLsXyErePXOPKipkyZIiWnwIcEkyQy8i6GJj1+/Hjr1q2hoaGRkZGffvrp4ODgSIr1EHwXueGuUaGvry8iIuLWrVsw5bfffps7d66/v/+CBQtu3rz54k16GSFfCxKREgOjOwy+InBELBaLUqmU8hUhpxskJyf/+uuvgsPhVkHIz7KslGzDykMG1jjCoiwWS3BwsJScAh+KyxmuGSN3AjQpIyMjKyvLarWazeZFixYVFBSMpFgPwW/v6Ia3dA4fPpyfn89PCQ8Pr62t7erqKioqSkpKevEmvYyQrwXp8McNJGMVJ96MN66V3b9/v62tLTU1FXk4Kvj5+Y1iaV5YoyecNkKgSU+fPm1paamoqIiMjJwxY8aJEycuXLgw1tZ5I319fdXV1YcOHeInOp3OpKSkKVOmJCUlDQwMjJVtLxGjeC28+HHjFUDSHPP111/HxMRMnTp106ZNPT09DMP09PRER0c7HI4JEyacO3eOf3jixImAgICvvvoqLCxsypQpmzdvfvr0KSjn2rVrixcvDggIiIyMfO+99/7++29kdXV1dStWrJg0aRLyUGwMLHzBggWTJ08ODQ1dt27dvXv3QPqxY8cElghWrvgNQZYjzgMBRR0/fjwmJsbf33/Dhg2PHj3at29faGjo1KlTt27d+uTJE36NhKIYhnn27Nm2bdsCAgKioqI+++yz58+fg/R79+69++67AQEBM2bM+OGHH/hV8y3hr6FBp4FsyO4gOPPJkyc7duwIDQ2dPn36559//vz5c7Hl4jzkXoYmTZ48+Z9//vH39wfp7e3t06ZNW7169VdffQVSbty44efnB+3ZsWPHvn37cA0hNBAXEmIk5iTHEr8XJAYGmdOnT+fn5wvWZ3Jzc9PS0j788MPCwkIYDICx9eHz58/3798fFhbm7++/bt26R48eMZgg2bBhw5dffglPXLBgwblz55DBDww7cuRIaGhoRETEt99+69JpgF9++QV+5g8gyOBEWi6uGvY1zl3ia4RvxrjF9RzjcDgMBkNjY2NTU5PNZisoKGAYJigoyGw2K5VKlmWzs7P5h6tXr3Y4HE1NTc3Nzc3NzS0tLaWlpaCo9PT0LVu2dHR0NDQ0LFq0SC6XI2tEPowhGANoaWnZvn17Z2enyWTSaDS7du0C+Zv/g28JRNAQZDniPGL/NDQ0GAwGm802c+ZMu91uNBqvXr1qsVgKCwvJ1fEpLi7u7+83Go2XLl3S6/VnzpwB6bt27QoMDGxtba2vrxcMKzgETkN2B8GZu3fvttlsLS0tly5dqqurKy8vF1suzgPOxfUyck381q1b+fn5ZWVl6enpOp0OJF68eHFoaOjSpUvgUKfTpaWlkRuCTEeGBBIpOV3Gkji/lMAIFQHSnzx5cuLEieLi4sjIyAMHDsApXKlU3rlzp7Ky8tKlS2+88Qa/xrH1YWlpqU6n0+l0bW1t06ZNa21tZTBBsn79+traWnDW/fv3DQaDVqvFBb/D4TCbzSaTqbKyctGiRQSPAa5du7Zs2bItW7bAFH7gIYMTaTmyan7nit0lvka2bNmybNmy69ev45w2LiAvpVksFoZhent7wWFjY2NsbCz8Cvk8BpzS0dEB0mtqasCqcVdXl0wmQy5odnR0REdHg88Oh0OpVHZ1dYkPCcYIaG9vDw8Px1ki/UkSKIeQB1TR3d0NDhsaGnx8fPr7+6GFcXFxnOSVfZVK5XA4wGeDwZCcnMxxnNPplMvl/FaA5zHiVsDnNGKnIZ2Ac6bT6QQDGTisq6tLSUkR1IjLg+tlQbcCrFZrbGxsdXU1x3E2m02hUIATk5OT8/LysrKyQKWBgYEDAwPkhojTBcCudAmy06XHEuwdKYEBnCAApJeVlWm1Wrvd3t7ePnv27FOnTnEcd/bs2Tlz5nR2dqampq5cuRJYq1arwSlj60O1Wt3S0sJPwQVJf39/YGAgqK68vDwjI4PDBD8wTBw2SI+1tbWtX78+JCSkpKQEFsUPPFxwii1HVu1yiONE8eBwOEpKSkJCQtavX9/W1oZz3avN8J758wcywhwjl8themtrK7wGMjMzExMT8/LyysrKrly5AvM4nU6bzQY+19TULF26FH7FPyQYw3FcS0vL8uXLp02bplKpQkJCgoODcZaQ5xhxOeI8UvzD/e+I43KO6erqYhhG9R8hISHAWpvNJmiFyzlG4DSJToCn22w2X19f+FVbW5t4zMXl4TC9LOhWQEpKChg6AYmJiZcvX+7s7NRoNN3d3Wq12ul0nj17ds2aNeSG4OIN2ZUqHvAsl50+XDdKDAwC8fHxcBSrq6sDoxgcDW02m0qlKikpuXr1amJi4pj7sLu7WyaTOZ1OfhPIQQK6fvny5VVVVbjgH9YjdJlMptVq4bwOEASeODiRliOrljLEIQ3u6urSarUymUxiQ14xZJ6+T+Lz448/Xr9+3WQy2Wy2vLy8hQsXfvPNNwzDTJw4MSIiAuQhLJSR0Wq1OTk5Z86ckcvlVqt15cqV7hk5WuUMF5ZlfXx8mpubZbL/7xQfHzffyBiVNzXdBtnLYpPu379vNBr//PNPmJKWlqbT6e7cuZOenh4UFJSYmKjX6+Eijxsgu9JgMEjM+WIQLPUwDPPw4cPHjx/fuXNn+vTpICU+Pt5msz18+LCrq2vu3LkMw0RERFRWVmq12ubmZv4yzhj6kGGYiRMnSix2/fr1p0+fzs7ObmpqqqmpcTgc0oMf6TGGYYqLi8vKynJzc4uLi19//XXwlSDwxMF5+PDhYVk+XG7fvn3o0CG9Xl9cXOyhKrwd8hTk3n0Mw7uRrK2tRd53GwwGjUYjSHQ6nSqVCt5cCw4Jxjx48ID/M8FgMID7GKQlhPsYZDniU6T4h8P8qiX8NFMqleJ7dsFaWW1tLSizt7fXx8cHLnY1NDSAdLHTJDoBWj6StTIBoJcFJsESBCmNjY3JyckZGRn19fUcx5WXl+/evTs8PBzc4xIagkzHdaUYKZ2OqwXXC9LvY5ArP+AHB/RPbW1tSkoKiAT+ksv27dsZhjGZTGPuQ47j1Gq1wWDgpxCChGXZkJCQkydPghssDhP8yIsFt1bGcZzdbt+7d69Sqdy5cycnuhYEwCFIbDmyailDnOCsnTt3KpXKvLw8u92OtGE84P4c43A4ZDIZjHh4CDpg7dq1VqvVZDIlJiYWFRVxHNfa2rpy5crLly/b7faOjo6cnJz09HRYMlgk1ev1s2fPhomCQ/J1q1ary8vLu7u729ratFotnGPElojXTPkNEZcjzoP7s4uUOQZXFMdxO3fuTElJAT+ySktLi4uLQbpWq+W3AlaRnJyck5PT2dnZ1ta2aNEikC52mhQnCCzPycnJyMjo6OgwmUzz5s0DyxoCy5F5kL0sMAmCXBlXq9Ug3Wq1BgYGwoUgQkOQ6biuRILM2dvbK5PJzGaz0+kk1ILshZGvlWm12pUrV1osFqPRmJCQ8N1333Ecl5ubu3DhQpPJZLfbKysrVSpVeHj4wYMHvcGHJSUlycnJRqPRarXu2rVLr9dzmCABZGVlBQYGnj9/Hhwig39Ya2UQi8WSnZ3Nia4F3BCEtNzlHIN0l+Aayc7Otlgsw7X/FcP9OYbjuKKiIoVCUVlZyT88fvy4Uqk8evSoWq0ODg5+//33waPOgYGBoqKi+Ph4X19ftVqdnZ3d2dkpqCU/P7+wsBCWLzgkG6PX65OSkuRyeXh4eF5eHphjlEplaWmpwBJx9PAbIi5HkIdwUyJljsEVxXEcy7J79+7VaDQKhSItLQ3+/rJarStWrFAqlfHx8WVlZbCK9vb2pUuXKpXKhISEU6dOgXSk08TdQbbc4XBs375dpVJpNJqioiK4Ws13FDIPspcFJiFrBGRlZa1duxYeJiUlwRPJDRGnE7pSDC5nQUEBv6fEsYTrhZHPMXa7PSsrKyQk5LXXXjt69ChIZFm2oKAgOjpaLpfPmzevqqrqzp07CoUCDItj60On0/nJJ5+oVCq5XA7eVuDwgcRxXG1trVKphBUhg9+9OQYiCDzcEIS0nDzH4NzFiUZFios5xg1GEhbx8fFXr17FHVKkIHDaCK/SUWFU+lHiciWFwHjzoYcGkFfVXR7ihT7zdwlfl0l8SJGCFzrNC02ijAdo4HkD3qgl453cuHHjgw8+ECSOc8HwmJiY69evb9y48d9//5V+ynj2GIUy3qBzjFS2bNkSHR3NTxnnguGg+W+99Zavr29+fr70U8atxyiUcYibc0xfX9+ePXuioqImT548Y8aMY8eOQa2LqKiovr4+Qf67d+9O4DF9+vT9+/cPDg6K5Z5gnokTJ8bExHzxxRegZLdFs91WZefX+OjRI6PRuHfvXn4G9/6GQhDnF3hpwoQJq1at4mcQK72L0wXt5XfH48ePN23aNHXqVImK+rdu3Vq1alVQUFBYWNi2bdv4gmYMr/l79+6FEiZkXHrs3Llzs2bNmjx58qxZs8B/p5ANAYCWIuMNMgEFwYCXSDlfytYDgmDD+cpiscTFxb0UrR4Tnj17tnHjRuhhcshRhLj3GGft2rVardZsNj948ECn06WmpjY1NRHyg6dkLMuyLAtUiVJSUsA7l2KZfZgNSEqM5C3G0ToRWYh7guGEd4r4zQcMDAzwM4iV3sXphPZqtVqgqN/a2pqSkgJfuMQRGxubk5Njs9msVmtWVlZmZib/W9h86R4me6yiokKj0Vy8eNFut1+5ciUuLg6+vY1ESr3AjWazOTg4GHqVkP8lUs4Xv5SIzCNlJ4iXqNUvHpZlU1NT165dS5/zu4c7c0x/f79MJhNoNpARDwcNDQ0zZ86Uki0hIQH5ldtVu3GiuBCbzRYcHCyYAyQWS55jcCf29vbOnj0b/t0Pl44rhGVZfq9Bx+JgWfbkyZOwWKPRyP/PLL/5Ej3s0mMajYY/A7W0tCgUCig8JUZ6z0ocajmOU6lU4D99Fy9enDNnjpRTxgopzZfY8Jeo1S8ei8Vy+PBh+i6Z2wxvrQxIVQ8NDTEMA1UfBCCFssXI5XKWZV0uZMnlcqfTKVE0W4oOuUQJcbIIP8MTDHcpqM5gxPnFCuc//fTT0NDQnj17wsLCwsLCPv74Y7gCyWCU3gnpDMP89ddfU6dO/f333xmGYVl2aGjI19cXOra/v5/BC5X7+fnt2bMHFDs4OFhVVbV06VJx88WVQgR9RJZY7+npsVqt/E0+5s6de+XKFfCZrPFO3r/ApWF83FbO37Fjh0e3HiBvisG/jpDBxuB3jvDaVjOYrQFwI4w4nbzzgsQtA6Kiog4cOEDIQCEjdY7hK2b7+/unpaVlZmb+8ccf4m0wcELZfHp6eoqKilxqKD18+PDgwYNarVaiaLYUHXKJEuJkEX6G92hBiqA6UpxfrHC+YsWK/v5+pVJpMpkaGxt1Ot3JkydBBpzSOy4dOHnNmjVHjx5dvHgxwzBBQUHz5s0rLCwcHBzs6+sDqyKw7Uhdd8DPP/+sUCiampoqKirEzUci1ldnXEmsOxwOuVwumLTmz58Pt5khCK27bIIAguK60l3l/HfeecdzsvkSN8UA4HaCwEW+17aawWwNgBthpIw8kOFuGUBxH5d3OkjF7N7e3oKCgvj4eJlMFhcXx/8HL0EoG+qq+vr6ZmVlORwO8d+hYbaQkBC5XL5z506w0CwWgCGLZuNk+aVLiBPWyviC4S4F1XHi/GKFc5Zl+X8Zq62tBeZxGKV3ZDo0NS0tLTc3l9+i1tbWxMREX19fhULBMAx8msIQdd37+/uBJseZM2fEzRc4BxktnASJdfJaBLmDXDZBrGKADJ6RKOe3t7cjbXBpG4Agm49TpEfGJy7YOEzke22rObzcGXKEQabj1BaQ4USQQRMXRZGO6zkGqZgNYVm2sbERPsAnCGUrFArQc5WVleHh4ThFE5jNZrPxy0H2sUA026VC+7AkxAlzjEAwnCyojhPn50QK5wIDzGYzvAKRSu/IdGBqYWGhj48PELkS0N3dfeLECb6KH06onE99ff28efOQzec7BxctLiXWrVYr3wwB5A5y2QTkYwmx4vpIlPNxNhBsQ4Yrh1LOR26XgIxPXLDhIt+bW43cGgA3wiDTCXPMcCcMOse4jeu1suLiYr1en5ube/v2bfG3fn5+CxYsOHXq1Pnz52EiUijbx8cnMjIyMjJy8+bNKpXq7NmzyOpgtoiICLLg9u3bt4GAHRTN1mq1S5Ys0ev1BoOhvr5efArUzzcYDAaDwWg04lTKyQhWioCg+sWLF4crqA6Wyx4/ftzU1IRcegKPvpBK74T0/v7+mpqa6urqgoICwQvHDMMoFIqTJ08KdokXMzg4eO3aNXgYGxsLChc3nw8uWsQS6+Dn88DAQF5e3kcffQSWJQWvU1+/fl3KnsRuIA4esXL+oUOHSktLxcr5bnQ0Ely4GniAFLG7hlsXLvK9udUEcCPDSCT66VqZp5AyEQkUszmOE7zto9fr4S6KUoSyq6urNRoNy7LiHxq4HwuCr8Si2RJl+aVLiOPuY8SC4WRBdZw4PydSONfpdPzfjzU1NWBBA6n0jku3WCwymay1tZXjuPT09F27dgnaVVFRAe9IONGyBhQqB++hwfWEuro6uC+noPkC74mjRaLEukaj0el0MN1kMsH3ylzexyCbwM/Jv49BKq6PUDkfZwMufViy+Uh3SVkr4wcbMvK9udWEtTLxCINMl7jzAoCulXmIYby7bPlPMdtsNqvV6oqKCpvN1t3dDRbrS0pKQDaJQtkJCQlnzpyRPsdIEc12qdDODUdCnF9jR0cHvPdHKtUTBNU5vDg/978K593d3SqV6tChQ3a7vaWlhf/cBan0jkznt8VsNsvlcqPRCKtzOp2xsbF1dXV8nzMYofL09PTMzEyr1WowGBISEsrLy5HNb29vF48UMFrEp+Ak1vn/j9Hr9QkJCYcPH4aluZxjkE2AOfkW4hTXR6Kcj7OBYJtE2XycuwRbD0D/4IINt3OEd7YagNwaADnC4NKl7LwgBTrHuI2b/8Gsr69PTU0NDAxUKBRz5sypqKiAX0kUyq6qqoqOjm5vb5c4x3ASRLNdKrRzw5QQhzWyLAt/7iGV6gmC6hxenJ8TKZyDbQ2VSmVsbGxpaSnMhlR6R6YL2rJ79+4lS5bAw++//55/EwPzI4XKHzx4kJmZGRwcrNFo4HAvbv6FCxfIf6qQKLHOcVxlZeXMmTPlcnl8fDx/rxGXcwxBa52T/DeRkSjn42wg2CZRNp/gLsHWAyARF2y4nSO8s9UA5NYAyBEGly5l5wUp0DnGbUZf2/9VZffu3eCp9Su248BwLx5B81mWjY6OPnv2rPRTRh1vuP5xNniDbZ5jfLaaMiy8S9vfmykrKwNPI8e5YLig+X5+flVVVW+//bb0UygUyviB6i5LZdKkSfPnzx9rK7wR8gRDoVDGM3SOoVAoFIqnmMBx3FjbQKFQKJRXE3ofQ6FQKBRPQecYCoVCoXgKOsdQKBQKxVPQOYZCoVAonoLOMRQKhULxFHSOoVAoFIqnoHMMhUKhUDwFnWMoFAqF4inoHEOhUCgUT0HnGAqFQqF4CjrHUCgUCsVT0DmGQqFQKJ6CzjEUCoVC8RR0jqFQKBSKp6BzDIVCoVA8xf8BBr4p5zqb0PoAAAAASUVORK5CYII=) \n--- \n \n**Screenshot:** ![habitat.mit.edu vulnerability](/twimages/screen-1005198.jpg)\n\n**Mirror:** [Click here to view the mirror](<http://1005198.openbounty.org/mirror/>)\n\n### Coordinated Disclosure Timeline\n\nVulnerability Reported:| 28 October, 2019 13:21 GMT \n---|--- \nVulnerability Verified:| 28 October, 2019 13:35 GMT \nWebsite Operator Notified:| 28 October, 2019 13:35 GMT \na. Using the ISO 29147 guidelines| ![](/images/done.png) \n---|--- \nb. Using publicly available security contacts| ![](/images/done.png) \nc. Using Open Bug Bounty notification framework| ![](/images/done.png) \nd. Using security contacts provided by the researcher| ![](/images/done.png) \nPublic Report Published \n[without any technical details]:| 28 October, 2019 13:35 GMT \nAdditional notification email sent:| 4 January, 2020 10:23 GMT\n", "published": "2019-10-28T13:21:00", "modified": "2020-01-26T13:21:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.openbugbounty.org/reports/1005198/", "reporter": "devl00p", "references": [], "cvelist": [], "lastseen": "2020-08-21T22:48:57", "viewCount": 4, "enchantments": {"dependencies": {}, "score": {"value": 0.7, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.7}, "openbugbounty": {"patchStatus": "unpatched", "mirror": "http://1005198.openbounty.org/mirror/"}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645892150, "score": 1684004500, "epss": 1679002791}, "_internal": {"score_hash": "2f4e3a2c44669d7d75744a79c83e648b"}}