logo
DATABASE RESOURCES PRICING ABOUT US

hostelroma.com.br Cross Site Scripting vulnerability

Description

Open Bug Bounty ID: OBB-1032907 Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[hostelroma.com.br](<http://hostelroma.com.br>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[XSS (Cross Site Scripting)](<https://www.owasp.org/index.php/Cross-site_Scripting_\(XSS\)>)** / CWE-79 CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **geeknik ** Remediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAPp0lEQVR4nO2db0xT1xvHr4CswGVCaQFpDZQYJISgMYSxhG1OzeZYQxgiuq2buBFGCC4dcU4xYR0u6HC4jbA/WbZEeTNfGLIQsjhDNOlIw5ThXa0IiAzKv4a0SN1VS0Xu78XNbu7v3nNub6GlqM/nVc/pved5zvMcfXpPy/esYRiGAAAAAIAgEBZqBwAAAIAnFqgxAAAAQLCAGgMAAAAEC6gxAAAAQLCAGgMAAAAEC6gxAAAAQLBYFTVGp9P9/fffuCaw8kAKAAAICKGvMdevX19cXNy8eTOyCaw8kAIAAAKFjxozNjYWGxuLfMvtdp84cQLXlE9HR0dRUZGgKWHXL+R4FShbq5MlzI7LyJ07dw4cOKBWqzUazSeffPLw4cMlOPDRRx9FRUWdPXvWr7s4t8fGxuLj45dgdznICdqSFzwAPFUs/Tlmbm6usbER15QPssYs2SsBS/bqaYZLQXl5udfrpSjq0qVLFoulvr7e36FcLldLS0tPT4/BYAiCp8EiNTXV6XRKXwNLCwDkEOK9sunp6aGhoW3btiGbwMrDpeDBgwd9fX0//vijRqPZtGnT6dOnz58/7+9oNE1HR0dv3rw5PDzcrxsjIiIyMjL4L1aYZ555ZuWNAsCTh6wa88033+h0uoSEhHfeecftdhME4Xa709LSaJpes2bN2bNn+c3Tp0/HxsaeOnUqKSkpPj5+//79Dx48wI3c0dHxyiuvrF27FtkU2yUI4t69ex988IFard6wYcNnn3326NEjtv/q1asvvPBCbGysRqPZvXv3zZs3BU4SBDE/P//+++/HxsampqZ++umn3L0c7CbJiRMn1Gr1+vXrf/75Z5xF9srm5madThcTE7N3716Xy/Xxxx+r1eqEhIQDBw7cu3ePc+z555+PiopSq9V79uyZnJwUGH306NHRo0eTkpJiYmL27NnjcrlwM5VvVMAXX3whSAdypvwUREVFjY+Px8TEsP3Dw8MpKSnIOOOS63K5BPFHRhLZqdFo/vrrL/bFn3/+yQ74+++/42yJL0D6iQy1OBT8nTrkYhYvLQAAkPiuMTRNUxRlsViuXLkyNTV15MgRgiDWrVs3MDBAkqTH4zEYDPzmG2+8QdP0lStXent7e3t7+/r6mpqacINLbJQh7RIE8eGHH05NTfX19V24cKGjo+O7775j+/V6fXl5ud1u7+7uLigoUCgUAicJgmhoaLh//77Var1w4YLZbP7hhx+Q8x0YGLDZbGfOnCkoKJCwyHrY3d1NUdTU1FRmZqbT6bRarT09PaOjo3V1dexlfX19lZWVDofDZrNptdqamhqBxaampq6urq6urqGhoZSUlP7+fomZyjQqmFHvf/DTIZ6pOCMsg4ODhw4d+vLLL5FxZq9Ri0hISBDEHzkjXHjFlJeX79ixg609Aq5evbpjx47y8nKuB+knLtTIUHBviRezeGkBAICGkWR0dJQgiLt377JNi8WSnp7OvUWSJP9KtsneYrfb2f729vbc3Fz2td1uT0tL426haZokydnZWXETZ3dhYYEkyZGREba/o6MjPz+fYZjZ2dmIiAiPxyP2n++kSqWiaZp9TVFUXl6e4BrWLueShEX2yrm5Oba/u7s7LCzs/v37nMMbN24Ux3N4eDg5OVnQmZiY2NfXJ+hE2l2CUVw6xDNlRBlhmZiYSE9PP3fuHIOPM3uZAOb/Y4ucES68SGiabmxsVCqVZWVlQ0NDbOfQ0FBZWZlSqWxsbOSSi/MTGWpxKOQsZsHSAgAASYTPIkSSJPcbm5SUlNnZWZ+3KBSKDRs2sK8zMzPtdjt3u8Vi4S67ePFiXl4e96shQRNpd2Zmxuv16nQ6bnD2f4H4+PjS0tL8/Pzt27enpKTk5ua+9NJLAq/u3LnjdDrT0tLY5uLiYkQEYvokSfJ/yISzyF65bt069rVWq3322WejoqI4h7kvja9du3b48OH+/n6v17u4uLi4uMg353a7Z2dnc3JyBG7g7Mo0ygeXDsFMCVEKWEpLS41G4969ewnJOGs0GrFpnzOSCK+YmJiYo0ePVlVVvffee1lZWezv3LKysvR6/cjICBcWnJ+4UCNDwYGLHgAAcljR7/zDw8PXr1/PNQP7i7Jffvnlp59+ysnJ8Xq9tbW1Bw8eFFzg8XjCwsJ6e3spiqIoymq1UhS1ZHPyKS4ufvHFF81mM0VRv/32G/Iaf78SDxLiFExPT1utVn4wcXEW75UFw8Pbt2/X1NSYzeaGhga2p6GhwWw2V1dX3759m38lzs9VEmoAeFqQfswRb4jFxcXh3kJuL/z666/c9gKfhYUFlUrFbZIImji7MrdWKIrSarXicUiSRG6V8PfKBBsgEntluMjwmzMzMxEREXzH+JexJCYmUhQljg9yr0yOUcHskOlAzpSfAq5T0MOHizOzIntlVVVVJEnW1tY6nU5+v9PpNBqNJElWVVVJ+4kMtTgUchYz7JUBgByW/hyjUqk8Hs+tW7eQzdra2snJyRs3bphMJr1ez901Pz/PvrBYLMnJydwmiaCJIzw8fN++fUajcXx8nB38rbfeIgji5s2br7322uXLl10u1/j4eGtr65YtW8ReGQyG6urqGzduTE9Pnzp16vjx4wRBKJVKj8czODgo/pmZhEWZqNVqpVL5/fffu93uW7dumUwmQRwIgjAajZWVldevX5+cnDx48OAff/yxfLv88Ql8OvggUxAeHs7+nIwFF2eCIDQiBOMjZ+TXNGmattlszc3NCQkJ/P6EhISvvvrKZrPRNC3tJzLUPkFGT7C0AABAI12CpD84m0ym6OjoM2fO8JvNzc0kSZ48eTIxMTEuLu7dd9/lvpTmj3bo0KG6ujpuKEFTwi5N05WVlSqVSqvVmkymhYUFhmG8Xq/JZMrIyIiMjExMTDQYDA6HQ+ykx+MxGo1arTY6OrqwsJD7+HzkyBH2GuSHU6RF+Y8UZrM5NzdXoVAkJyfX1tbGxcUJ7l1YWDh8+LBKpVIoFMXFxdyHdLFdmUbFT2ZNTU2CdIhnKkgB0oREnJEIrCAjiexcJjg/kaGWfo7BLWZGtP4BABCzhmGYwBatsbGx7Ozsf//9V/qyTZs2tbW1Pffcc8gmsPJACsTIXMwAAODw/buyIDE4OCjRBFYeSAEAAAEnxFoyoOq/Cgl5FkLuAAAAgSKUNQZU/VchIc9CyB0AACCABL7GpKamyty/DqriMo5AKfmvwIkAIVGP52dhfn7+zTfflJhmMIIQkGUQKHF++YtZ2o2QnFAAAKuBUD7HhKTGPEaERD2ey8L8/PyuXbsWFhYkLpajgb9kB5YDiPMDwCohZDUGVP1XIfwsOByOnTt3sjqYEgRWAz+Ay2A1iPOH/IQCAAg5vmuMWCMdKQuPE6jHIaHqL6GljzwyQKzYz9fAj4+Pf/vtt7mjAVhwWvfcBfzNjenp6ddffz02Nlan0zU3N/M3PcTjSPsvHh/nqkA9/ttvv3311Ve5248dO7Z//35BSHFnAQgyJTEdfhZSU1OPHTsmnUT+pJBa+n6p8QsckCnOj5zjEsT55bv6zz//xMTEXLt2jSAIl8sVHx9/+fJl5C3IEwoA4KnCd41BaqSLtdCRqukSGlYSG2USWvrIIwOQiv00TVutVvZoALvdzhe9x2nd46ipqYmMjBweHu7q6mpra/M5jnyxem4csasC9fji4mKz2cx9N9DR0VFSUiIYB3cWgCBTuOmIk+IXyHXilxq/wAH54vwSyvyEbHF++a7qdLq6ujqj0UgQRH19fWFh4csvv0yslGIbADxmSP+JJlIjHSkLj1RNR2pYMZKq/tJa+kiVdbFiv+BogO7ubv6RBMhxJBTSFAoF5097ezv3t/TIcfzVN5N2lX9Lfn7++fPnuX5BUiTOAhAcVYCcjjgpSB8EcO/itPTlq/ELHJAvzo9cjUsQ5/fLVa/Xm5mZaTKZVCoVp3SAW+0A8DTj428wcVruAi10nGo6Tu9dQtVfQuwdqbKOU+znHw2g1Wr5RxL4pdY+MzOzuLjI90d6HL/E6lkkXOVTXFzc2dm5e/fuzs7OwsJCwfcNEmcBCI4qwE0HKewvE9w6ka/GL3DAL3F+CWV+Qna6/XJ17dq1ra2tO3fubGlpSUpKYjt9nm4AAE8hvvfKfGrmc4hV03G7BwH8RVmoFPtXnpKSEvZogM7OTvFG2fIJ0tkK8tX4BQ6svDi/fFcJgnA4HGFhYQ6Hg+uBvTIAQODXUw+rkY7cP0GqpiN3D6RV/WXulfFV1sWK/dJHEiDHuXv3blhYGH/Pir9XNjo6yvbj9sq4cXD+48aXf3oCwzDZ2dldXV1xcXHcOBxyzgKQmA5S2B/pg5x3OS19+Wr8OAcEA4qXGdKHJYjz+3VwwNzcXHJy8rlz55RKZX9/P9sJe2UAIMZHjenv79+1a9elS5ecTqfdbq+oqNDr9ch/1Y2NjXl5eVardWJigv0wiBvTbDZnZ2fjmgzDVFRUFBUV2e12m822devWlpYW5r//LEpLSycmJmw225YtW0wmE3t9VVVVfn6+zWabmppqampqaGjwWWOQ4+Tl5VVUVDgcjqGhoYKCAu6W0tLS4uLi0dFRm82Wk5PDrzHIcZD+48aXVpiOiIjgvhtgGKa+vj4nJ0ev13M9/G8sxHaRmUJOR5wFzh/BCHyL3LvIdcIwjMFg4OoZcnCDwcC+FjiAG1C8zOTUGGSaBOGV7yrDMNXV1WVlZQzDfP7559u2bcPdBQCAjxqD1EhH/qvGCdSLkVb1ZyS19JEq62LFfp8PB2Kte4ZhhoeHt2/fTpJkVlZWS0sLd4vD4dDr9SRJpqWlnTx5kl8bkOPgxOqR4/t1egK7Dcg1fSrnIzOFnA5S2B/pHrLpr+a/GIED8sX5fdaYgIvz9/b2kiTJPht5PJ60tLS2tja/RgCApwf/9soCQkZGRk9PD66JY5UcOzgwMJCYmBgq6zRNKxQKwW+olgM3HZlZEBDApCzNAZ+skmUDAE8tIdD2f6xV/SmKSk9PD5X1ixcvFhQUBFD5iptOyLMQcgcAAAgGITs/5jHi+PHjKSkpRUVFIyMjdXV19fX1IXHD7Xa3trbu27dvmeMEajoPHz60WCxarXaZ/gAA8CQT6gcpuYRw08NsNm/dujUyMnLjxo1ff/11SHxgGCYyMrKkpET8Z4n+EqjplJeXK5XK9vb2ZfoTVGCvDABCS+DPWgYAAAAAlhCfgwkAAAA8wUCNAQAAAIIF1BgAAAAgWECNAQAAAIIF1BgAAAAgWECNAQAAAIIF1BgAAAAgWECNAQAAAIIF1BgAAAAgWECNAQAAAIIF1BgAAAAgWECNAQAAAIIF1BgAAAAgWECNAQAAAIIF1BgAAAAgWPwPsM7oi2R12PoAAAAASUVORK5CYII=) --- **Screenshot:** ![hostelroma.com.br vulnerability](/twimages/screen-1032907.jpg) **Mirror:** [Click here to view the mirror](<http://1032907.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 7 December, 2019 15:37 GMT ---|--- Vulnerability Verified:| 7 December, 2019 15:52 GMT Website Operator Notified:| 7 December, 2019 15:52 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 7 December, 2019 15:52 GMT Vulnerability Fixed:| 13 January, 2020 17:36 GMT ---|---