logo
DATABASE RESOURCES PRICING ABOUT US

zyneri.com Cross Site Scripting vulnerability

Description

Open Bug Bounty ID: OBB-1047618 Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[zyneri.com](<http://zyneri.com>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[XSS (Cross Site Scripting)](<https://www.owasp.org/index.php/Cross-site_Scripting_\(XSS\)>)** / CWE-79 CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **g0bl1nsec ** Remediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAJN0lEQVR4nO3da0hT/xsA8K+XbOqWTrd5m5dZqURUkJjFovCFN6SWZklZGsWCMJFRkka0LmRoBomWbwrrRb2JiDFCxAhMhpitpfPSFNPppulcrqbNscv/xaHD+e/sbOrvt5z9ns+r8z2ec77P85zDnvyeVT52ux0BAAAAHuC71gEAAAD4a0GPAQAA4CnQYwAAAHgK9BgAAACeAj0GAACAp0CPAQAA4Cle0WN4PN7nz5+phn+l/0KOngPVA2C9WPse09fXZ7PZdu7c6XT4V/ov5Og5UD0A1hE3PWZ8fJzBYDj9kcFgqKmpoRoun0QiOXToENXQ01wk6DkeynF8fJzJZK7ixFXfO09we0f+8BMCAPgnVv97zPz8/J07d6iGy7e2PSY+Pl6n0/2x6TDe9im56nu3JrytegAAF9Z4rWxqakqlUh08eNDp8M/YuHHjn5xuTXL8a0D1AFhfltVjHjx4wOPxwsPDT506ZTAYEEIGgyEhIcFoNPr4+Dx9+pQ4vH//PoPBqKuri4iIYDKZJSUlv379orqyRCLJzMzcsGEDeejz/xBCTU1NWVlZ+LlXr14tKChgMBj19fU8Ho/JZJ48eRILD7O0tHT27FkGgxEfH3/9+nWr1Yqtw9TU1LDZ7KioqMePH7tYmbFarVVVVREREcHBwYWFhXNzcwihhYWF8+fPs9ns2NjYGzduWK1W9Ht5BwsjODj4+PHjc3Nzly9fZrPZ4eHhZ86cWVhYIKeMnUUuFDlIqnkRQhqNJisri8FgJCcnP3/+HNvpkBRxDY2clMOtpLpTHz582L9/P4PBiImJKSgoGBwcdFph/OC9e/cGBgay2ezCwkKNRuM0KacVpnrknD4wAAAv577HGI1GhUIhk8m6u7u1Wu2VK1cQQiEhIUNDQ3Q63WQyFRcXE4dHjhwxGo3d3d09PT09PT1yuby2tpbq4i4Wyky/VVZWFhUVIYQEAkFHR8fPnz/xg3NycoxGY29vLxaeWq2urq7Gr3bz5s3FxcXe3t7W1taOjo7m5mYsnaGhIaVS2dLSwufzXSReW1vb3t7e3t6uUqmio6MHBgYQQuXl5VqtVi6Xt7a2SiSShw8fEqvU2dmpUCi0Wm1KSopOp+vt7e3q6hobGyNGRcyRqlDkIKnmLSsr27Rp08DAwJs3b/Aes6KkHG4l1Yl5eXmlpaVqtbqzs5PP59NoNKoKI4TkcrlQKJyenlYqlVwut6yszGlSTiuMKB45cvUAAOuA3aWxsTGE0I8fP7ChTCZLTEzEf0Sn04lHYkPsFLVaje1/9epVamoqtq1WqxMSEvBTjEYjnU7X6/VOhxilUhkXF6fT6bBhenr6y5cv8elUKhUxvM7OTjw8u93OYrGMRiO2rVAo0tLSsNiIUzhkQcThcORyOXGPxWKh0+mjo6PYUCKRpKen4ynPz8/jYfj6+i4uLuJF27JlCzlHqkKRg6Sa12Kx0Gg04hVCQ0PJSY2NjWH7nSbluggYvV7v7+9vMpkc9pMrTD53ZGQkMjKSnJSLYKgeOadPCADAm/m7bUJ0Oh1feImOjtbr9W5PodFosbGx2HZKSoparcZPl8lk+GFtbW1paWn4Mo7DECMUChsaGsLDw7GhQCCQSqUFBQVSqTQ3NzcgIIAYHpfLxcP7/v27TqdLSEjAhjabzd/fH0tnOV++MhgMer1+x44dxJ0zMzNms5nH4+GpYR+I2GVDQkLwMDZt2hQYGIhnjX+twCFHqkI5BEk178zMDEKIeIVVJEXGZrPx7dnZWYQQk8k8evRoenp6RkZGdHR0amrqgQMHqCqMEPr06VNlZeXAwIDZbLbZbDabjZyUi2CoHjmnTwgAwJu57zH/Ij8/v6ioKHzo9htlTU1NiYmJhw8fxvfk5+djyyxSqbS0tNTFXCaTydfXt6enB//g8/X1NZvNKw14Rce75Q1LPW6TUigU5J0vXrz4+PGjUqnUarUikWjfvn3V1dXkCmMbAoHg3Llzzc3NNBptcnIyOzt71cEQeUP1AAAr4pHvlZlMpomJCWxbpVLFxcWRj7FarVKpFP/IcBgihDQaTWNjY0NDA/GsrVu3cjict2/fdnV15ebmuoghKioqKChIr9fH/EZsb26FhISEhYU5/GVyDocTEBDw9etXbDg0NIT/KX45yDkup1Au5uVwOAgh4hWwjbCwsMXFRfzF1eTkpIukyGIIiPt3795dUlJSVVX15MmT169fU1V4dnZWq9Veu3Zt8+bNMTEx2JsbsmUGgyNXDwDg/VbfY1gslslkGh4edjoUiUQajaa/v18sFufl5eFnLS0tYRsymSwyMhJf/3EYIoTKy8tv374dFBS0tLSEn4UQys/PF4lEfD7f7d+dLC4uvnDhQn9//9TUVF1d3a1bt9wmRZyooqJCKBT29fVpNJqLFy++f//ez8+vqKiooqJiYmICS+3EiRNur4kj54ioC0VENa+fn192djbxCtjxDAYjNTVVJBJ9+/ZteHiY+M6cnBQi3TuywcHBnJycd+/ezc3NTUxMNDY27tq1C1FUmM1mh4WFPXr0yGAwDA8P41GROQ1mRdUDAHg7169rXLw9ttvtYrE4KCiopaWFOKyvr6fT6Xfv3uVwOKGhoadPn8bffhOvdunSperqavxSDkM76X+AxvdjKznYpK7DM5lMFRUVXC43KCgoNzd3dHSU/HKbuMfhpxaLpbKyksVi0Wg0gUCAfe/AaDQKhUIWi8XlcsViscVicRsGPnTIETuLXCinb+Cdzmu32ycnJzMzM+l0elJS0r179/B5R0ZGMjIy6HT6tm3bGhoa8P1OkyLfSgdms1ksFiclJQUEBHA4nOLi4unpaacVxo7v6OhITU2l0WiRkZEikSg0NNRpUk6DoSom+QkBAHg/Hzvp0/wfGh8f3759O75QQyU5OfnZs2d79uxxOnRhYWGBxWJptdp19+7XIcdlFgpglv+EAAC8xx9950/05csXF0MX2tra+Hz+umswaCU5AjKoHgDr0dr/u8srYjAYGhsbjx07ttaBAAAAcG+d9Rj81cVaBwIAAMC9f/99DAAAAIBZZ7/HAAAAWEegxwAAAPAU6DEAAAA8BXoMAAAAT4EeAwAAwFOgxwAAAPAU6DEAAAA8BXoMAAAAT4EeAwAAwFOgxwAAAPCU/wFWRLZoE1Sc5QAAAABJRU5ErkJggg==) --- HTTP POST data: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAIHklEQVR4nO3cb0gTfxwH8LNOXXYjXXOaCmoPrAdiPjArsoiUkJAYlJKwamCEhdEYEvYHkj2YYT7pSfSgwCLoSUj4IAosYoSQ2jjXMBsac5hZzDHtsM1m93tw/MZxd7udbjfN3q9H7rvP3X0+9zn8bF+jNJZlCQAAABVsWusEAABgw8KMAQAAtWDGAACAWjBjAABALZgxAACgFswYAABQyz89Y0pLS0dHR9c6C4hvdHT04sWLMgG/f/9ubm7+/v27whOi9QCp8e/OmI8fP/7582fPnj1rnQjEZzabS0pKZALS09MzMjLa29uVnA2tB0iZdTRjpqamtFqtGsGS+vv7T5w4kcgZFKYxPz/f1dWl5CRTU1M5OTkJprRSSSkhkZPHveLc3JzL5bJYLNF3w+Fwc3Oz4MwWi2VgYEDJyRNvvcK6Vn3fADaMdTRjUiwpM6a4uNjv98vHBINBu92e4IXUsz5L4F+RYZisrKzMzEzuZTgcrq+vj0QigkN0Oh3DMEpOnnjrldw0Yt23HiAF/tYZQ5JkWVnZqg//9u2bx+M5cuRI4plEf/etWrSWBItatcRLSKXZ2dm6urqenp7VHZ6s1v9dNw1grcSfMcPDw4cOHdJqtYWFhSdPnvz06RNBEOFwuKWlRavVFhcX37p1a3l5ORp84MCBLVu25ObmNjY2fv36ldtV6Orqys3N3bFjx8OHDwmCWF5evnbtWl5e3tatWxsbG+fm5qKXu3v3bmlp6fbt28+cOTM/Px8rq8LCwg8fPkRfvnr1Sr4KQUB/f/+xY8fS09NjFSjOULIQ/jaXVqu9c+dOXl5eTk7OuXPnfv36RRDE/Px8SUkJwzBpaWmPHj2STDVaS2Fh4fv37xVWxI9RWEI0T34VSSmBkGq9OEbysRGnJL4iX3Fx8Y0bN+LeHPFd4iSl9fy9sgTvG8DGFn/GNDQ0mM1mn8/37t27mpoajUZDEITNZltcXHS5XC9fvnQ4HPfv3+eCnU7nhQsXZmdn3W53UVFRW1sbQRAMw4yPj7vd7t7e3pqaGoIguru7BwYGBgYGPB5PQUHB2NgYdzjDMDRNDw4ODg0NzczMdHR0cOu5IoIkzWZzbW0tf+pEDQ8P19bWms1m/iJ/t0SyQMkMxYXwMQwzNDQ0MjIyMjLidDq7u7sJgti2bdv4+DhFUaFQyGQyyaeqsCJxUcpLkK8ikRIkWy8Q67ERpCS+4ur8pa0H2FBYWYFAgCTJUCgkWNfr9QzDcD/TNF1dXS0+dmJiIj8/3+v1EgQRCAT4bxkMBqfTKYjnIhcWFriXg4ODO3fu5H6eFhEcyzCM3W7X6XRNTU0ej4db9Hg8TU1NOp3ObrdHs+WCKYriUopVoDhDyUK8Xi9FUdF3fT4ft97X11dVVSWIkUlVLFaYuCjlJUhWoUYJXOvFB0o+NvI3VnySWIv8FbVbL0gvua0H2EjizBiWZU+fPl1ZWWm1Wnt6et6+fcuybCAQIAhC/z+dTmcwGLhgp9NZV1dXUFDArWdnZ4t/FwSDQZIkI5GI4EKCSK/Xm52dvaJiAoGA0WgkSZJ7SZKk0WgMBoOCsL6+vqNHj8oUKJmh/G86r9er0Wii62NjY9F7InmgIFWFFcUqSmEJkskkqwRx6wUHxnps4o6QVcwYtVsvSE+N1gNsDPH3yp4+ffrgwYOKioqlpSWr1Xr58uVQKLRp06aRkRGapmmadrlcNE1zwUaj8fDhww6Hg6bpFy9eyJx28+bNyr9sxd0rIwhicnKyra3N4XDYbDZuxWazORyOS5cuTU5O8iMF/6xIXOAqMlwRcarKwySLWg8lxG29zGOTdH976wE2jhVNJJqmi4qKWJalKEq8D/Pjxw/+pzOapiW/x7AsazAYaJoWLMp8j4m7V9ba2kpRlNVq9fv9/HW/32+xWCiKam1t5VYikYher//y5Yt8geIM436PIXgbJs+fP4+1YRIrVYUVSRalsATJKpJSgmTrxQdKPjZqfI9hVW69zF5Z4q0H2EjizJixsbH6+vo3b974/X6fz3f+/PmGhgaWZVtbW/fv3+92u2dmZrq7u202GxdvMBju3bsXDAY9Ho/RaIw1Y+x2e3V1tcvlmp6e5j7WsYntlZlMJq/XG+tdr9drMpm4nx0OR3l5edwCxRkqmTGnTp2anp52u92VlZWdnZ1cDMMwJElG99/lU1VYEb8o5SWwCmbMqksQt55l2YWFBZIkx8fHud0nycdG8sbyr+jz+fibUYK0oyYmJsQPjEqtF8+YJLYeYCOJM2OWlpY6OzvLysoyMjIMBoPJZJqdnWVZNhQKWSyWoqKirKys48ePRz8bOhyOqqoqjUaTn59vtVpjzZhIJHL16lW9Xq/RaIxGI/exLvG/xyjR3t5+/fr1uAWKM4w7YyiKun37tsFgyM7OPnv27OLiYjSss7MzKyurt7c36eWsqAQ23oxJpARx67n1jo6O6IGSj43kjeVfMRQKaTQawR/JxUc9e/asoqJC5kYlsfXir1lr0nqA9S+NZdm12aRbI7t27Xr8+PG+ffuSe9qpqany8vKfP38m97SptJ5LuHLlitvtfv36dayAcDi8e/fumzdvtrS0xIpB6wFSj1zrBFLt8+fPa50CrFhPT4/8PxDIzMx88uTJwYMHZWLQeoDU+1v/Lxn4p6Snp+/du1c+Rn7AAMCawIwBAAC1/HN/jwEAgJTB9xgAAFALZgwAAKgFMwYAANSCGQMAAGrBjAEAALVgxgAAgFowYwAAQC2YMQAAoBbMGAAAUAtmDAAAqOU/xiA6+lC8GnwAAAAASUVORK5CYII=) --- **Screenshot:** ![zyneri.com vulnerability](/twimages/screen-1047618.jpg) **Mirror:** [Click here to view the mirror](<http://1047618.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 22 December, 2019 15:17 GMT ---|--- Vulnerability Verified:| 22 December, 2019 15:24 GMT Website Operator Notified:| 22 December, 2019 15:24 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 22 December, 2019 15:24 GMT