logo
DATABASE RESOURCES PRICING ABOUT US

liveauction.am Cross Site Scripting vulnerability

Description

Open Bug Bounty ID: OBB-1065882 Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[liveauction.am](<http://liveauction.am>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[XSS (Cross Site Scripting)](<https://www.owasp.org/index.php/Cross-site_Scripting_\(XSS\)>)** / CWE-79 CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **geeknik ** Remediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAATQElEQVR4nO2df0wT5x/Hz9qxiodC09YCVQvb0BDCiDPYJcwQ/DFlhDQMCWMdEiVOiSOEGUPZ5hgjqAyMIY6wxBlnTLYY5wghhjlmtoYYB4x1jLDaYYddVzuGWFxlpYL3/eOyJ/e9H0+vpYWqn9df99w9P97P5z7X5+55rp9bQlEUAQAAAABhQLLYAgAAAIDHFhhjAAAAgHABYwwAAAAQLmCMAQAAAMIFjDEAAABAuIAxBgAAAAgXETHGJCUl/fzzz0JJQAgwlEgixFARIoNFZKoKFY937x4JFn+M+eWXXx4+fPj888/zJgEhwFAiiRBDRYgMFpGpKlQ83r17VPAzxty6dSsmJob30NTU1NGjR4WS4uns7MzPz2clme1iNCwAzH4trhIWyG537tx54403lEplYmKi0Wh88OCBUBEx+nfu3PnJJ58IFY+Li0PJmZmZ1157TahCZuYbN27s3Llz5cqVq1at2rt379TUFKZRJJK5wWw3UJChMKcSHQrfKWb5OQu/l0+YhDFVBX0JB10w3OBtDiwQFJaxsTGSJMUcwuTEk5mZeeXKFVaSVZvX6w2i5pAQOUpYILvl5uaWlJQ4HA6LxaLT6d59912hIn7PkcViUalU09PTQsVjY2Ppba/Xm52dXVhYiHEPlDk5Obm8vNzpdDocjpKSkuLiYkyjSCRzA1UVBMhQmFPJbTTksPychd92wySMqSroJsJntHmCtzmwMCzyXNnt27etVmt2djZvEvH0008vsDAhIkQJMtT9+/e7u7vb2toSExPXrVvX3Nx84cKFoKttbW3dt2/fsmXL/OZ0uVxbt25tbm72m3NmZqaysvLEiRPx8fGJiYk1NTW9vb2YRqVSaUpKCu9GEAh5FLGwpxIjYxGJTFWh4vHu3aMEfgii71BOnjyp1WrlcrnBYHC73RRFud1uVMPZs2eZyZaWFpIkm5qaVCpVbGxsaWmp0H0xRVHt7e1FRUXcJPPOiLldVFTU0NCA8ut0urNnz3q93j179pAkuWbNmiNHjszOztJH+/r6dDqdTCZTKBSFhYUOh4Pie/xC98izs7M1NTUqlSo6OrqwsHBiYoLVTVZZj8ezb98+hUKh0Wjq6upmZ2fpDM3NzVqtNjY2tqSkhDYXC4wwumx0dHRRUdHExMShQ4cUCoVcLi8rK/N4PHhDMbtjs9mio6MHBwcpipqYmIiNjb169Sqd+dixY7ynxu12y+Vyl8vFlOpwOLZv306SZEpKSmNjI+t5gtU6PjNFUT6f7/Dhw6WlpfhGMXR3dweUBxkKcyq53susjde7gpZBUVRfX19WVhZJkgkJCQUFBSMjIyxtp06d2r59OypbW1tbWlrKfQjj9Xm/woRUsTTw1s/rVKyCFNa9GxsbFQqFWq0+ffq0UC94iwfaNb82p/iud3z9QHD4H2MIgigrK3M6naOjozk5Ofv376cPWSwWkiS9Xi/tGShps9kIgigsLLTb7aOjo2lpaXV1dUL15+bmnj9/npsUGmMuXry4ceNGetvpdMpkMrfbXVtbW1xcbLPZRkZGsrOzT506RWdob28/c+aM2+12uVxVVVV6vZ7CjjGNjY0bN24cGhpyOByVlZUmk4nVTVbZPXv25OXl2e324eHhDRs2tLa20uYqLS11Op1WqzUrK6uiooLbayFhBEEYDAaHw0GXVSgUtOXp27HKykq8oVjdaWho2Lx5M0VRFRUVJSUlqAmhU9Pc3Mz89afR6/XM/PgxBp/50qVLUqk0OzubOUnF2ygGtVqdk5MzMDDAe7Svry8nJ0etVqM9TAfDnEqm97LGGF7vmo8MlUp1+vTpyclJm8124sQJm83G0uZwOGQy2b179+j8aWlpHR0dLMFCPo8RhlfF0iBUP9epKM5PAca9S0tLXS5Xd3e3xWIR6gVv8UC7JsbmvNc7EHJEjTHI3a9du5acnIwO8a7H0EXsdju9/9KlS2hUsNvtWq0WFfF4PCRJTk5OcpNCY8z09PSKFSvoytva2vLz8ymKUigU6B7fbDZnZmZyOzI6Okq7IOZHWaVS0fdoLAvwKpmdnSVJknZWiqI6Ozt1Oh3LXL29vchcQjCFEQSBnnt6e3slEgl6zrh27dqzzz6LNxSrOz6fb/369XV1dQqFgn5QwJwaiqKSk5PNZjPrwU4mkzHzY8YYv5mnp6dNJlNaWlp7ezumUTwej6exsVEulxcVFVmtVrTfarUWFRXJ5fLGxkbkDCwHEzqV1P97L2uM4fWuoGVMTk5KpVLuqh6rXZ1Od/HiRbTf6/WyMgj5PK8wMcZhaRCqn+tUvEZDsNyb2RymFW7xgLpGibM57/UOhJzA1vyZvwWYq1Qmk6H9IyMjKpWK3p6dnXU6nejQpUuXcnJyeJOYn4Pi4uLW1laKorZu3Xr+/PnJyUmCIBT/IZfLUXODg4Nbt25NSEig99PKhXrkdrulUimac+C1AHPb6XRGRUWhbFarVa1WY8zFJCBh3KSQobilenp6CIKgzUVhTw2qk1kD/aTIzI8ZY/xmprl8+fKGDRswjYphcnJSr9dLpVK0RyqV6vV61swky8GCGGMw3hW0jOLi4oyMjOrq6ubm5u+++45Xz7Fjx8rKyiiKOnXqFHdSFK+KK0yMKmYT+PpZTsUVL8a9Ma3wFg+oa2JsLnS9AyFnQdf8ly5dGh8fj5K8by37raSoqKijo+Pu3bt9fX35+fler1cikQwMDJjNZrPZPDQ0ZDab6Zx6vX7z5s0mk8lsNl++fFmkwgD7FAxBCGMi/o1Ml8slkUhcLpffnK2trVVVVYEqEcODBw/6+/tRMjk52el0zqfRmzdvHjx40GQy1dfXo5319fUmk6miouLmzZto5/xfXcV4V9AyPv/889OnT6enp/t8vurq6rfeeovbbkFBAe0YXV1dBQUF4lXxCgvUOPj6/TqVSPcWagVTXGTXuL0TsvnCXO9POvghKLjnGIIxIdPR0cGckEHMzs4qFAo018RKYm45vV6vXC4/efJkQUEBvYckSe4z7/j4OPMG02w208rv3bsnkUiY01nMuTKz2YyxgJi5Mr/PMULCRD7HsAzl8XgkEglzhi0lJYXedrvdarX6iy++kMvl9CIn5tQQBCGXy+k7R4lEQt9asqa/Ojo6xM+Vocxer1cqlaJJks7OTjQlwtsohWX//v0kSVZXV3NXaCcmJqqqqkiSpJcMWYaignqOoQS8az4ymJjNZo1Gw9tuWlpaT09PbGws7ausDLyqMMLEqGI2IVQ/16lYBUW6t1ArQsXFd02od8w6aZvzXu9AyAl+jPF4PFKpFE2MoiRaWHY4HMPDwxkZGcyFZTQrSk/No/2s5L1796RSqcVi4S7PUhRVUlKyYsWKCxcu0Mn9+/frdLrh4WGn09nU1FRfX0/vV6lUbW1tbrfbarXq9XqkPDMzs7y83OVy0UvrzDX/zMxMeg2Qvl1idZOlpLy8PD8/n7XmjxknUN95hYkcY1iGoihqx44dBoMBvWWA/h9TUVFBT7M0NDRkZ2dTjDV/7qlx/Mf169dXrFhBb1P/LeOj/GLW/LmZ8/LyiouLHQ6H2WxOTU1ta2vDN4rBYDCMjY1hMoyNjRkMBl5DYU4lOsR0PPoQr3cFLWNkZGTHjh1Xr16dmJiw2+3l5eV5eXkU52qiKOrIkSPp6en0Uer/rwghVX6FYYzD0iBUP9epuOLFuDfGtkKXrciuibc57/UOhJzgxxiKourq6qKjo+kXFlGSfvuT9wVZZm2HDh2qra1FVbGSFEXV1NTQlXO9s6OjgyRJVK3X662qqtJoNNHR0bm5uej+xWQybdy4USaTqdXq6upqpJx+QY4kydTU1NbWVuYS9+HDhxUKhUwm0+v16HYJdZP7w8T77jKvuZiHeIWJHGO4hhofHy8pKZHL5QkJCTU1NT6fj6KogYEBkiTppwqv16vVas+dO0c3gX+tnNUu83Xk5uZm8e8uMzOPj48XFxfHxsZqNBrmq+dCjYYErqEo4VPJPIQcj94v5F3ByfD5fHV1dSkpKVFRUSqVymAwoJVz1tVETxyhJMW4IkKuCoE08NbP61Rc8WLcm4a3FaHLNujeCdlc6HoHQoufMSYIMC+ZMElJSbl+/bpQEhACDCWSCDFU0DI8Ho9MJmO9iBUqIsQ4YeLx7t0jxxKKokK7wHPr1q20tLR//vkntNUCwBPFV1991dbW9s033yy2EACYF4sfd/lJY25u7vjx47/99ttiC3lUCcKAj1yA96mpKfqt5cUWAgDzBcaYhWbp0qUPHz48dOjQYgt5VAnUgI9igHe0YLbYQgBgvgQ8xviNMb527VqHw7Hwsb5FBj8POg550MHVuS0ePnzY4XD88MMPQdQWBKEKC78AnzYQeXYCMmBIAryH27tYzMzMfPnllxESgBUA5kMw6zEzMzN471+sJRm/woh5aFv4gqEiVAIWoCPhaGLTpk0NDQ3btm2bZz1h9S4AeFwJZq4sYm+vIlYYsFiEMMA7eBcABIGo72AePXpUqVTGx8d/+umnrM8UfvTRR6tWrYqLi9u9e/e///5LEMTU1JRWq/V4PEuWLPnss88Igvj666/xrTAz9Pf3v/TSSzExMYmJia+++uqvv/5KEMTc3JzRaFy1atXy5ct37dp1584djLD5a+vv73/xxReXLVumVCp37dr1559/cvPMzMzs3bs3JiZm7dq177///tzcHK+5uC3ycv/+/TfffFOpVK5evfqDDz5g1sbtBW/rdOaWlpakpKS4uLjXX3+d9bnJ48ePs+phzf8wPzd5+/btV155JSYmJikpqaWlhfkZSm49eP3c+oWksmz18ccfv/zyy6j4O++8s3v3biEDMmGe087Ozu3btz/11FN0MhK8CwCeKPw/x3g8HovFMjw8fPbs2aysLNahvr6+gYGBgYGBwcHBpqYmgiBWrlyJYn0bDAaCIMrKyrZs2fLjjz9yK+/v79+yZUtZWRnak5eXV1ZWZrfbe3t7s7KyZDIZQRBNTU09PT09PT1WqzUhIWFkZAQvbJ7aBgcH9+3b53K5hoeHNRrNwYMHucrr6+unp6eHhoa6u7tNJlN7ezuvubgt8lJZWel0OgcHB7u7uzs7O9va2jC9EGrd4/EMDQ1du3atr6/PbrfX1tYyrTHwH8x6hDh48GBUVNTo6GhPT8+5c+f81iOkXwheqSxb6fV6k8mE5p06Ozu5kbtYcN2JtRgTCd4FAE8W+L/PcCNyC8UlYwaK5/4fXmRQbvFRuDHC5q+NidBHAXjDkvMGMPf7p1Te0Gf4XnBbHxP+rIBQPUKRBejIY0gPitIvVA9GP2/9eKn4EPdCNhQTvj4CvQsAHnv8P8eQJMmcKmEik8lWr15Nb69fv95ut/NmW758udFoHB0d9fl8qamp9M7U1FSfz2ez2YxG4/Lly+mdcXFxhYWFOp3u7bffbmlp+f777wmCmJqampycTE9PFy9sntp++umnbdu2JSYmKpXKzMxMr9fLKnX37t2JiQmtVqtUKpVKZU5ODv2741cVL+Pj4z6fLykpCalFtfH2Qqh1kiTRfI5Go6FjpwdkDaTn4cOHTD34ejD6hcBIZaLX67u6ugiC6Orqys3NxayI8LrTlStXMjMz0emIEO8CgCeKBfp/jPig3AsfhZurzW9wcnzw83CzuK0vJPgQ90xEhq+PBO8CgCeKeY0xXq/3jz/+oLetVuuaNWt4sx04cCAjI0OtVlutVqPRSO80Go1Wq1WlUmVkZBw4cICZ/4UXXti9e7fRaDxz5kxHR8fKlSvlcnmg/9MOWtvff//tdDrfe++9Z555JjExkZ6yZxEfHx8dHT05OZn4H8zv4gSKSqWKior6/fff6aTFYtFqtZheBNE6bz1yuXx6ehoteDgcDqRHIpHcunUL6cHXI6RfqH7xPPfccyqV6ttvv71+/Xpubi4mJ9ed5ubmurq6uP+MWVzvAoAnDvxUGnctgbUewxsonhXrW3xQbvFRuDHC5q+NN7q4mODqvEsv3LDtXLifCcD3gts6PuSzUD1CnzkoLCzU6/VjY2PDw8Pp6enMdRTeenj1C9Uv/oMRFCfEvV8w4esjxLsA4IliXmOMUAx/ihOoXCTio3D7/RWYjzah6OJ+g6sLLe/7bZH7mQB8L7it+/2sAG9If6HPHLhcrry8PJIktVrtsWPHmGMDbz28+oXqD+iDEdwQ9yLhhq+PEO8CgCeK4OMuR/JfmiNZm3gipBc3btzYvHnzX3/9tSit379/X6FQOJ3OQN+kWLdu3blz5zZt2hRySRFyXgDgkUC62AKASMdsNicnJy9W61euXMnKygp0gCEI4saNG+HQAwBAQMAYA/Dw4YcfJiQk5Ofn22y22traI0eOLIoMOsR9cXHxorQOAMD8gdj+AA/Z2dltbW0ajcZgMFRWVooM4hJyIMQ9ADzqhP47mAAAAABAA88xAAAAQLiAMQYAAAAIFzDGAAAAAOECxhgAAAAgXMAYAwAAAIQLGGMAAACAcAFjDAAAABAuYIwBAAAAwgWMMQAAAEC4gDEGAAAACBcwxgAAAADhAsYYAAAAIFzAGAMAAACECxhjAAAAgHABYwwAAAAQLv4HHrQYgs3Mj8kAAAAASUVORK5CYII=) --- **Screenshot:** ![liveauction.am vulnerability](/twimages/screen-1065882.jpg) **Mirror:** [Click here to view the mirror](<http://1065882.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 11 January, 2020 15:46 GMT ---|--- Vulnerability Verified:| 11 January, 2020 15:54 GMT Website Operator Notified:| 11 January, 2020 15:54 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 11 January, 2020 15:54 GMT Vulnerability Fixed:| 3 February, 2020 15:46 GMT ---|---