Lucene search

K
openbugbountyDevl00pOBB:1029629
HistoryDec 03, 2019 - 4:02 p.m.

american.focus.tv Cross Site Scripting vulnerability

2019-12-0316:02:00
devl00p
www.openbugbounty.org
5

Open Bug Bounty ID: OBB-1029629

Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:

&nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence;
&nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence.

Affected Website: american.focus.tv
Open Bug Bounty Program: Create your bounty program now. It’s open and free.
Vulnerable Application: Custom Code
Vulnerability Type: XSS (Cross Site Scripting) / CWE-79
CVSSv3 Score: 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N]
Disclosure Standard: Coordinated Disclosure based on ISO 29147 guidelines
Discovered and Reported by: devl00p
Remediation Guide: OWASP XSS Prevention Cheat Sheet
Export Vulnerability Data: Bugzilla Vulnerability Data
JIRA Vulnerability Data [ Configuration ]
Mantis Vulnerability Data
Splunk Vulnerability Data
XML Vulnerability Data [ XSD ]

Vulnerable URL:

![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAS2UlEQVR4nO2dfUxTVxvAr1ihQPmGglIUmFFDDOsYVsyYYercZIRUh4wxNjAyRcMQGXNAjGM40SFMxxZCHBp0JDNmcYQ44kzjXMeIArLaVa0NmlprYQgKWFkHlfv+cfKe3Pd+9VKo6Ovz++uec8/Hc57z3Pv0PPfe01kkSRIAAAAA4ALcZloAAAAA4P8W8DEAAACAqwAfAwAAALgK8DEAAACAqwAfAwAAALgK8DEAAACAq3h6fUxUVNSVK1e4koDreH5U/fyMdCpcuXJl27ZtMy3FTDI+Pv7uu+/+/fffMy3IM8lT6mP++uuviYmJF198kTUJuI7nR9XPz0inSE5OTmRk5ExLMZPMmTPH3d29uLh4pgV5JnHgY27fvu3j48N6anh4eP/+/VzJKdLS0pKamsqVdDU8o54Wdu7c6enpefz4cdd1wUTgBD1hVROOtP3gwYNNmzaFhISEh4d/+umn4+PjzjV++/btgIAA6innRvrw4cMdO3YsWLDA09Nz8eLFX3755ePHj/kFmEUhIiKitLQUjYI6cGqx2bNnR0VF7d27F7Xs9JXltBlTexwcHNRqtYWFhZNq0LmuHdaiKXPWrFnr1q3jb/PGjRvr1q3z8/MLDQ3dvHnz8PCwc8IUFhaqVCqBdYH/geTFaDRKJBIhp3hKOoFCoTh37hxX8glgs9lc1PLAwICbm5tGo7Hb7S7qghWBE/TkVc0vWGpqamZmptls1uv1iYmJJSUlzjVuNBr9/f2pp5wbaVpamlKp1Ov1/f39KpUqKSmpo6PDoQA2m81ms42Ojmq12oSEhN27d6Oz2MxoxTQajUKhqKioIKdwZU1LRa5jhzh3BfHXomoJMTY2xt9gdHR0bm6uxWIxm82ZmZkZGRkCJXHp/e254mn0MRaLxd/fH1sPLfmsM1PGKqTfGVE1j2Cjo6MymcxqtaJkR0fHwoULJ9W42WyOi4tDBwqFAuc7N9LR0VGRSDQ0NCS8CnN0bW1tS5YsEVIsJiaG9ZTTXTtRkXqMlTlTTHZENpvt8OHDIyMjKKnVamUymcC6tMGCj3EaQc9jvv7666ioqKCgoPfffx8tNoeHhyMjI61W66xZs44fP05NfvXVVz4+PgcPHgwNDQ0ICMjOzv7nn39QO52dna+++qqPj094ePjbb799/fp11u5aWlrWrl07Z84cZrKzs3PFihWenp4hISEbN268e/cu8d9VbU1NTVRUlLe39zvvvDM4OPjJJ5+EhIQEBQVt2rTp0aNHqKl///138+bNPj4+CxYs+Oyzz1AsAlXfv39/SEjI3Llzjx49Sl0mP378uLS0NDQ01Nvbe+PGjYODg3gsNEmoYgQEBLz33nvMhfng4CBVbwRBPHr0aOvWrSEhIREREZ9//jkOvDD7pS3eqcEfh4qlTtDy5cv37duHT61YsQJH7WiqZm2TVYc880JVLI8+mTZGEISnp+edO3e8vb1RsqenZ968eQRB3L1794033vD29n7hhRcOHTpEC4JRCQ8Pv3z5Mjq4dOkSq4398ssvXNUxqMzExARBECKRiLUM19BoiMVim81GOAoNicViu91Ou9B4pGWdAioCjZ/ZIwYrkyCI9evXHzx4EB1fuXLFw8MDz9rWrVu3bt1KDQMyzYDVuqiBTS5Tn5iY2LFjR2hoaGho6M6dO/H10tvb+9Zbb/n4+ERFRdXU1KDyHh4eO3bsQE2Nj483NTWtWrVK4O2COlhgKjj2MVarVaPRtLe3d3R0WCyWkpISgiD8/Pz0ej1at2ZlZVGT69evt1qtHR0dXV1dXV1d3d3dVVVVqKmUlJScnByTydTW1paYmCgWi1l75HkY093dvWXLlr6+Pp1OJ5PJ8vPzqUK2tbVpNBqLxbJkyZKBgQGtVnvx4kWj0VhWVoaKVVRUoHjF2bNn1Wp1fX09rq7X63U6XWNjY2JiIlWYqqoqlUqlUqkMBsO8efOuXbvGI4nVatVqtUhXJpMJ94sJCgqi6o0giIKCAovF0t3dffbs2ZaWlrq6Ov5+WXGoWOoEFRcXNzc3o/ze3l6NRqNUKpmq5mqTVYc880JTLOu4WG2Mxo0bN4qLi6urqwmCyM/P9/X11ev1586da2xsxGVCGHBpjDrSnJyc1atXc91QOjs7V69enZOTQxCEt7d3cnJyRkbGH3/8gX+4YIRM2fDwcHl5eXJyMpdgiHv37u3evVupVNIuNB5puaYAI9D4mT2ykpKSgp9PnDlzZmJi4uzZsyipUqlee+01amGmGQi8FTAZHR2VSCQ6na69vV2lUh0+fBjl5+fnu7u79/T0qFSqEydO0Gr99NNPXl5eHR0dR44cIQTfLoDpgX+ZYzQaCYLAi8329vbo6Gh8ijVWhqqYTCaUf/r06fj4eJIk79+/LxKJWOOtJpMpMjISHVutVolEcv/+fdYklZ6enrCwMNwjjmC0tbW5ubmNjo5imXGAJTg4GAdeUMgbV6d2QR2aVCrt7u7m1xKShKartrY2rCsq1MbtdrtEIrl16xZKtrS0JCQkcPXLVDh6wMCjWNbqo6Ojvr6+aILq6upSU1NRAaqqedpk1SFTGySbYrnGxWVjGLPZHB0dffLkSZIk7Xa7WCymGhh+0GJmwKoKpo1VVlYGBgamp6cbDAZczGAwpKenBwYGVlZW4iGPjIyUlJQsWrRIJBItXLiwvLwcP1djNRU0uuD/4u7unpmZiVqjhaRwscDAQLFYnJeXh/RPm3cuaalgg6RWFGj8TMFYY0QWi8XLywtJqFAoioqKMjMzUXlfX9+enh7a0KhdcFkX9R7Cauo2m+3ixYs4v7m5GY0CmQS+jqgmgRgdHVWr1UuXLq2vrxd+u+DSCTApJvc8hvrglMfHiMVinH/t2jWpVIqOMzIy5HJ5UVFRdXX1hQsXcBm73W6xWNDx6dOnV61ahU/Rkt3d3WvWrJk3bx66FJEwPEKS/3svpl7tgYGBSDCm9eCcoaEhkUjE+nCeKQm/GKwqtVgs7u7u+JTBYEB3Z9Z+edrnUixX9YyMjNraWpIk16xZ09TUhDJpqmZtk0uHQubFiXFhEhISkMBIaTQDY9UzD7SR4qEplUqRSIRzRCKRUqnkevpis9na29vxA3wuUzEajV5eXsjhNTY2hoWF4dsZ7VaOi1ksFmo7rHc3prT8Binc+JmCcd1b5XL5+fPn+/r6ZDLZ0NCQVCq12+0NDQ0bNmxw2AKrdTn0MTT0ej26XmjXEZdJtLa2xsXFCbxd8OgEmBRP9PuYH374oaGhITY2dmxsrKio6KOPPkL5s2fPnjt3Ljrmf2tZqVSuXLlSrVZrNJrW1tZJ9W6z2dzc3Lq6ujQajUaj0Wq1Go1GSMXZs2czM6ciiUBY+2WFS7FcpKenNzc3P3jwoKOjA6uXpmrWNrl0OCltCB8Xore3V6vVOhwUIThWxnxr+ebNm/n5+Wq1uqKiAmdWVFSo1ert27ffvHmT2YiHh8eKFStqa2tPnTqFM1mH5ubmFh4eHh4enp2dHRwc3NDQwCoVLjZ37lx+FbFKyz8FThs/D8nJySqV6syZMykpKX5+fnK5XK1Wq1Qqh5FAYvIWywV6QsbF+Ph4Z2cnTkZHR1ssFuc6ApyH3wU5t44hKLGy5uZmFCujodFomO942O324OBgvOalJfv7+6k/3DQazaTWMSRJSiQS1mgG1zqGJEmpVKrRaGhVWCVxYh3DHyuj9TsyMuLm5kaNxbG2z6pYWr82my0wMPDw4cMbNmzAklBVzdMmU4cC54VrXA71ZrfbqYLRYmXNzc2TipUxR5qXlyeRSIqKigYGBmiFBwYGCgsLJRJJXl4eysHhJoRarcaRPVZToY3u5MmTMpmMGQQT/gInq7RCDFKg8QsXrL29XaFQpKamtra2kiRZV1dXUFAQFhZmsVgm9cYzti5cksvUVSqVXC7HFU+fPk2NlRmNRpyPY2sikQiH6VpaWhQKBaxjnjDO+xir1SoSiXBEGCeRj0lLSzObzTqdTi6Xl5eXkyR57dq1N9988/z58wMDAyaTKTc3NyUlBbeMrjoUM8WZtCRJklKptK6ubmhoyGAwKJXKyfqYvLy8hIQEnU5nsViqqqq4vj+g5lRWVioUCq1Wazab0Y9HLkn4xaB9CYHzc3NzU1NTTSaTTqeLi4vDESHWfhUKRW5ubl9fn8FgSExMRO3zKJYa8qbNV2Zmpq+v76lTp1hVzdMmqw6FzAvXuIT4ZlrsXqlUUg1sUrEyplFlZWXh2xMrRqMxKyuLJEm9Xi+VSo8cOWKxWIaGhlBTlZWVXENjVUJMTEx9fT0p+FZOmzguaZlTMDIyIhKJ9Ho9irwJNH5ajyaTiRqZZHYqlUrR7JjNZl9fX+QD+IfGZV3UkqymPjQ0FBwcvGfPnoGBge7u7qVLl+LrBX23ZDQadTpdbGwsNomUlJSMjAyz2azRaGJiYurq6pzzMT09PZMNyQII530MSZLl5eVeXl6NjY3UZE1NjUQiOXDggFQq9ff3/+CDD1AAemxsrLy8fNGiRe7u7lKpNCsrq6+vj9ZLcXFxWVkZbp+WJElSrVbHx8eLxeKwsLCioqLJ+hibzVZYWCiTyby8vJKTk9GPWX4fY7fbd+3aFRwcLBaLlUol/vHIlETgmo/5CHfLli3BwcEymYz6AJm1356enlWrVkkkkpiYmNraWtQ+l2KZ46LOV3Nzs0Qiwc8GaKrmmSxWHQqZF65xOfQxzByz2bx27VovL6/o6Ojq6upJXfxMo5oUra2tSUlJvr6+Xl5esbGxR44cwadYp4yphKampsjIyLGxMeE/9mkXGiusU1BSUoIrCjR+Wo82m00sFnO9XJCZmZmWloaT8fHxSLf8QxNisaymTpJkV1dXYmKiRCKJjo6uqqrCbfb19aWkpEgkksjIyAMHDuDy/f39GRkZ/v7+Mpnsiy++YMoj0Mf8+OOPsbGxrEoA+HHgY5xgKovKRYsWUd8boSUB1/HsqprrpsDFszvSmaKgoID5ioQrmK54FFpuTr0djM1mi4yMbGhomMY2nx/YvyabKW7cuMGTBFzH86Pq52ek00V1dfXUXxB4kmg0mujo6Gls0MPDo6mp6ZVXXpnGNp8fpvpeGeyODgD/38yZM2fZsmWu7mV8fLy9vV0mkzlXfe/evUePHr13796lS5fKysry8vKmVzxwME4zpXUM7I4OAMC0sGXLlpaWFq4Xux2SlJRUWFi4ffv2+fPnFxQUZGdnT694gNPMIknS6cr79u3r6+v75ptvuAocP378wIEDRqMxMjJy+/bt/G/B3759e+nSpQ8fPuQTd9YsZuZUhgAAAAC4jinFyvj/geO7777bvXt3dXW12Wyur6+vra3du3fvVLojCAJt6K3X6/39/fH+3lNsEwAAAHARzq9jent7Y2Ji+vv78QbJNCIiIo4dO/b666+j5J9//pmYmNjf34+30aUhZB2DS8rl8gcPHjgnOQAAAPBkmNw6hrqvOP8+8MPDw2azOSkpCZd/6aWXLly4gI5Zt/vGoLOs/w4gRDAAAADgKUGoj6HucI7g3wfearWKxWLaEmfZsmV4EcOznT46y/rvAFzwb88OAAAAzAwOv6Bh3eHc4T7w/J9TGXl3FDdy/DsAtSTtszshG54DAAAATxjH65iYmJixsbFbt26VlpbiVci5c+cUCgX6s7mAgIC0tLSEhISPP/64pqbmt99+IwgC7XPO06xEIuH5+0KxWBwREYGOlyxZYjKZ+IX09vYuLS3t6ekZGxuLiYlxOCgAAADgCeDYx7DucO5wH3j0P3rj4+PUpi5fvsz898DpgnXDcwAAAGAGcexjSktLDQaDVCqVy+Xbtm0jCOLx48dnzpyhvbX88ssvZ2dnl5aWHjt2rLm52c/PTyaTqdVqXODq1asrV64UKJbNZrtz5w46NhgM8+fP5y+/bds2uVweFhZmMBhKS0sF9gIAAAC4FEHP/IOCgg4dOqTT6axWK0EQ7e3tYWFhUVFR6Oz169fXrVv366+/Dg4O3rlz59tvv5XL5QRB7NmzJycn5+effx4cHPz999/T09PLysq4XlxmUlRUdPfu3atXr5aXl6ekpPAXtlqtOp2upqYmKChIYPsAAACAq5nEXjILFiz4/vvvCUagbOHChQkJCXl5eehR/Nq1a9GGEB9++KG7u3txcbHRaJw/f35+fr7wf7uTSCTx8fFxcXFjY2Opqam7du3iL48EAwAAAJ4qnPkGc/HixSdOnFi+fLkrBCIm8zEmAAAA8DTjzJ6YsDs6AAAAIISp7u0PAAAAAFyAjwEAAABcxZT29gcAAAAAHmAdAwAAALgK8DEAAACAqwAfAwAAALgK8DEAAACAqwAfAwAAALgK8DEAAACAqwAfAwAAALgK8DEAAACAqwAfAwAAALgK8DEAAACAqwAfAwAAALgK8DEAAACAqwAfAwAAALgK8DEAAACAqwAfAwAAALiK/wCoFf2ab5vNLwAAAABJRU5ErkJggg==)

Screenshot: american.focus.tv  vulnerability

Mirror: Click here to view the mirror

Coordinated Disclosure Timeline

Vulnerability Reported: 3 December, 2019 16:02 GMT
Vulnerability Verified: 3 December, 2019 16:10 GMT
Website Operator Notified: 3 December, 2019 16:10 GMT
a. Using the ISO 29147 guidelines
β€” β€”
b. Using publicly available security contacts
c. Using Open Bug Bounty notification framework
d. Using security contacts provided by the researcher
Public Report Published
[without any technical details]: 3 December, 2019 16:10 GMT