Lucene search

K
openbugbountyG0bl1nsecOBB:1027922
HistoryDec 01, 2019 - 7:19 p.m.

fcbwest.com Cross Site Scripting vulnerability OBB-1027922

2019-12-0119:19:00
g0bl1nsec
www.openbugbounty.org
7

Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:

&nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence;
&nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence.

Affected Website: fcbwest.com
Open Bug Bounty Program: Create your bounty program now. It’s open and free.
Vulnerable Application: Custom Code
Vulnerability Type: XSS (Cross Site Scripting) / CWE-79
CVSSv3 Score: 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N]
Disclosure Standard: Coordinated Disclosure based on ISO 29147 guidelines
Discovered and Reported by: g0bl1nsec
Remediation Guide: OWASP XSS Prevention Cheat Sheet
Export Vulnerability Data: Bugzilla Vulnerability Data
JIRA Vulnerability Data [ Configuration ]
Mantis Vulnerability Data
Splunk Vulnerability Data
XML Vulnerability Data [ XSD ]

Vulnerable URL:

![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAANKklEQVR4nO3df0wb5R8H8A4KFFoYg7ZjUMMPFc2ybI1igxHN4ggzhJBO2eYIKovLxgwSJEzHNBH5gyljM/oHMQYTFk30j2VZyLLgQhbTEDIHNkdtEDpmSu06NAVBu61j3e77x8XLfe9Xn/64wuD9+ovnevfc5/O5p316z8G2gaZpFQAAgAKSVjoAAABYszDHAACAUjDHAACAUjDHAACAUjDHAACAUjDHAACAUlbFHFNcXDwxMSHVXJ9QBC5UY22bmJg4evSozA73798/cODAn3/+SdghBszqsfJzzK+//vrw4cMdO3aINtcnFIEL1VjzGhsbi4qKZHZISUlJTU1tb28n6Q0DZlUJM8fMzs5mZmaKvrS0tHTy5EmpJrnBwcHa2lrR5nvvvZeenn727NlIY4ujqPOKBa8mCSBfzL///vvgwYMGg6GgoOCDDz64f/9+HDsPKy7VIIwh7OVm+5mdnd20aVOMUUWKJIsVGbGR4gY5Pz/vcDhaW1vZV+/du3fgwAFepq2trcPDwySdxz5gEvPZsl7Qstxut06nI3lJZk95Fovl8uXLwqbf709KSqIoKhQKRRpbHCXmLDy8miSAfJq1tbX19fVer3dqaqqiouL48eNx7DyseFUjGAyG3SdsqOwObrc7Ozs79qgiFTaLFRmxkeIGyQs4GAzu3Lmzrq6OlwV5XnEZMCSjBUis8FrZrVu3XC7Xzp07hc1AIJCRkbFjx47k5OQVjDDxeDVZcXfv3rXb7V9//XVBQcFTTz115syZc+fORdSDWq0uLS2N7uxxrEZaWlrsnbC5xJJULOKSxWo2NzdXWVnZ29sb3eHxGjBrvs4JQzTHfPHFF8XFxbm5uW+88cbS0pJKpVpaWioqKgoEAhs2bDh79iy3eebMmczMzFOnTm3evHnTpk1vvfXW3bt3pXoeHBysqqpKSUnhNefn57n9P3jwoKOjY/PmzVqtdu/evfPz82wPn332Ge9Ee/bsOXXqFPPqxMREWloaE7NKpTpy5MixY8fu3bv39ttvZ2ZmFhYWfvzxxw8ePGBeHRsbe/HFFzMzMwsKCl577bXffvuNlyYveNGobt++feTIEYPB8Nhjj33yySdM58yt9+nTp4uLi7Va7f79++fn548dO2YwGHJzcw8ePHj79m3RmghDYvYRTWFsbOz5559PT083GAx79+69efMme+qTJ08aDIYtW7Z88803UpGLXmiVSpWenv7HH39otVqmOTMzk5+fr1Kpbt68uXv3bq1W+/jjj3/++ecyC0cFBQW//PIL2/zxxx+l9hTuQFINYTrCrLmrH8zPwiEqvNzCUNlcCgoKfv755ygyEs2CJAXV/6/URZ2C1LGiZ4xlPJMHyVVYWPjhhx/K11OqtiqCAROv0QKEws8xgUCAoqjR0dFr1675fL7jx4+rVKqNGzdOTU3pdLpgMNjQ0MBt7tmzJxAIXLt2bXx8fHx83G639/T0SHUu9TAmNzeX239PT8/w8PDw8LDL5crPz5+cnGRjG/8Pe6Kamhp23fbixYsPHz4cGhpimsPDw9XV1V1dXXfu3HE4HENDQzab7auvvmJerampaWxs9Hg8IyMjFRUVGo2GlyYveNGoWlpafD6f3W4fGhoaHBzs6+vjlnFkZISiKJ/P9/TTT/v9fofDcfXqVbfbfeLECdGaCENitoumYLfbDx8+PDc353Q6TSZTc3Mze+qpqSmn0zkwMFBRUSEVueiF5pmenm5vb2e+YzY3N2dlZU1NTV2+fHlgYIDdxyDA66SxsXHXrl3cWYc1Nja2a9euxsbGiKohlQ4vay7RISq83DKhRp2RaBYJTkHqHSo8Y4zjmTDI6AhrqyIYMPEqNZCSX0pzu90qleqff/5hmqOjoyUlJexLos9jmEM8Hg+z/fz582VlZczPHo+nqKiIPSQQCOh0uoWFBdEmt3+j0Wi320VjE57I5/NlZGQwy6kWi6Wtra2+vp7ZPysra3l5Wa/XBwIB5iiKoiwWC03TCwsLarVauAgrswosjCoUCul0ut9//51pDg4OlpeXs6EuLi4y20dGRpKSku7cucNW9YknnhAWQSokmqZFU+CamZnJy8tjT81WVSpymQvN8nq9JSUlP/zwA5OpRqPhFp99OOEV4PUTCAS6u7tzcnL27dvncrmYjS6Xa9++fTk5Od3d3WxqhNWQSoebNe8BgNQQ5V1u0VCFyDOSyoIkBZrsXRY2BaljhWeMcTwTBin6FhNu5G4RrS1NNmDiOFqARGTP/LnPOWXmGI1Gw26fnJw0Go3Mz6FQyOfzsS+dP3/+5ZdflmqyHS4uLqrVauGTf5kTmc3mK1euzM3NmUymxcVFo9EYCoX6+/tfffXVhYUFlUql/09OTg571Ouvv242m9va2np7e3/66SfRNFmiUfl8vtTUVLbpcrnYD3qpMvKavCKIhiSVgt1ur6yszM/PZzYyfQrjF41cPkJGeXn5l19+yWbKK36kD8AXFhasVqtarWaaarXaarWyH1vk1SBJhxZ8akiNHNHLzQs1loxEsyBMgSZ7l4VNQepY4YExjmfCIKOYY6RqG3bAxHe0AImEPvNPTk7esmUL25T5rWXRY8lPVF1dPTw8fPHixZqamo0bN5rNZpvNxiyUBYPBpKSk8fFxiqIoinI4HBRFMUd9//33/f3927dvX15ebmtre/fdd0kyIo+KBK8IoiFJpWC1Wl966SWbzUZR1KVLl+Ib+a1btxwOB0lNwq6VqVSqGzduNDc322y2rq4uZktXV5fNZnvnnXdu3LjB7kZSjejSIScMlXA30YxU0lmseAqPEKnaEg6Y9fZrRCtMfgqK7j5Gxbm1vHDhguitZSgU0uv17G04r8nr32g0UhQljE3qRKOjoxaLpba29tKlSzRN9/X1tbS05OXlMXdROp1OuPLGQ1GUyWQSpskljEpmbYHke5+wCKIhiabw119/cb9oUxQldR8jGnnY+5hQKMQNjLdWduHCBfK1sqamJp1O19bW5vf7udv9fn9ra6tOp2tqaoqoGmHToQXfTKVGDu9AqVCjy0gmC5IUaLJ3WdgUpI4VnjHG8UwYZBT3MbRYbQkHTBxHC5CIfo4JBAJqtZpdfWabzCWpq6vzer1Op9NsNnd2drI9sMujNptt27Zt7HZek3fq7u5ui8XicDi8Xi/zjYz+79pLnchoNBqNRuZ0Xq83KyvLbDYzLzU1NZWXlzudTp/P19PT09XVRdP05OTkK6+8cuXKFb/f7/F4Dh06VFNTI0yTu7wrGtWhQ4dqa2s9Ho/T6XzmmWeYxSXC9ySvCFIhSaVgNBr7+voWFxddLpfVapWZY4SRk6yV8Za2rVYrt/jka2UNDQ1ut1vqVbfb3dDQEFE1wqZDi31qiI4c3uWWDzXSjGSyIEmBFswx0aUgdazoGWMZz4RBejwe7mIUL1PWzMyMcIxxa0s4YOI4WoBE9HMMTdOdnZ0ZGRkDAwPc5unTp3U63aeffmo0GrOzs9988032YSC3t/b29hMnTrBd8Zq8nUOh0Pvvv6/X6zUajdVqZb6RMTv09PQIT0TTdH19fV1dHdssKytj+w8Gg62trSaTKSMjo7q6mvnis7y83NnZWVpampqaajQaGxoa5ubmeGnyqiEaVSAQOHz4sF6vN5lMnZ2dzMov4XuSVwSZkERTsNlsZWVlGo0mLy+vra1NZo4RRh52jhFu8Xq9VVVVGRkZJSUlvb29cf+DRPJqhE2HFvviLDpEacGoji+pLEhSoP9/jok6BaljRc8Yy3gmDDIYDGo0Gt6vVAiDOXfu3Pbt22VqSzhg4jtaIKwwc0wUZBaXuEpLS69evSrVXJ8e3SKI3vfESLlqEA7R1SyWFBKWPvmJWlpauM/qhYLBYFFRUX9/v8w+Cg2YNTBaVpY6MU99hKanp2Wa6xOKwIVqrB+9vb3sr96ISktL++6771544QWZfTBgVqeV/3eXAWCdS0lJee655+T3kZ9gYNXCHAMAAErZQNO0/B5LS0t9fX0dHR2JCQgAANaM8HPM7Ozstm3b/v3338QEBAAAawbWygAAQClh7mOWlpays7OZnwcGBvLy8nbv3p2QwAAA4JEXfq1senq6rKzM7/er1WqTybR169aenp5nn302MfEBAMCjK/xaGfOfLqSlpSUnJ8/MzFRWVlZVVe3fv//69evKhwcAAI+wyJ7HaLXajo6OmZmZ5eXlrVu3KhQTAACsDRE/8197/044AAAoJLI55ujRo2azOS8vz+Vy4S9mAABAXvh/r0yv1weDwevXrz/55JOBQMDpdBYWFiYgMgAAeNSFn2O0Wu1HH31kNpv7+vq+/fbbBMQEAABrQ/jfXQYAAIgO/s4fAACUgjkGAACUgjkGAACUgjkGAACUgjkGAACUgjkGAACUgjkGAACUgjkGAACUgjkGAACUgjkGAACUgjkGAACUgjkGAACUgjkGAACUgjkGAACUgjkGAACUgjkGAACUgjkGAACUgjkGAACUgjkGAACU8j/UwRA+K00xwgAAAABJRU5ErkJggg==)

Screenshot: fcbwest.com  vulnerability

Mirror: Click here to view the mirror

Coordinated Disclosure Timeline

Vulnerability Reported: 1 December, 2019 19:19 GMT
Vulnerability Verified: 1 December, 2019 19:27 GMT
Website Operator Notified: 1 December, 2019 19:27 GMT
a. Using the ISO 29147 guidelines
β€” β€”
b. Using publicly available security contacts
c. Using Open Bug Bounty notification framework
d. Using security contacts provided by the researcher
Public Report Published
[without any technical details]: 1 December, 2019 19:27 GMT