logo
DATABASE RESOURCES PRICING ABOUT US

acfurniture.com Cross Site Scripting vulnerability

Description

Open Bug Bounty ID: OBB-1074365 Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[acfurniture.com](<https://acfurniture.com>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[XSS (Cross Site Scripting)](<https://www.owasp.org/index.php/Cross-site_Scripting_\(XSS\)>)** / CWE-79 CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **error404 ** Remediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAR80lEQVR4nO2db0xT1/vAr1hqLVf+lNsOAV1hRtEZhsQhOmKc4sYII51xncNG0RGGhDAkbEPiSMdINawmBBfGC00YIc4YQ4gxhi3VbA1hDBErVoIVHdZaO6i1aO0KVM73xfn9bu5u29uKFJE9n1f3nHvuc57n9LTPPc89fe4ChBABAAAAAEEg5GUrAAAAAMxbwMcAAAAAwQJ8DAAAABAswMcAAAAAwQJ8DAAAABAswMcAAAAAwWLu+piEhIRr1675KgLTBkYSAIBZY476mOvXr09NTb311ltei8C0gZEEAGA28eNj7t69u2TJEq+nxsbGjhw54qv4gpw7dy43N9dXMXAOHjy4ePHin3766cVVYg3FzNo7a+CRZNoyy4ZwzChfPHr0aN++fWKxOC4u7uuvv56cnOQQcvfu3aioKI7eF/ybDz74AJ8aHR3dvXt3dHR0XFzcwYMHx8fH6at+//33devWhYWFbdy48fr168GwcXrQHXFbPVMcP348ISEhLCxsw4YNFy9eDHZ3wDwBcTI8PEySZCCnOFpOg7S0tF9//dVXMUCsVmtISIhOp3O73TOilcvloo9n1t5Zgx5J2pZZNmQa3eXm5ubl5ZlMpsHBwYyMjMrKSvTvz4IlPzIykrt3F4OJiQl8Kisra//+/WazeWhoaOvWrRUVFfRVMTEx7e3tNptNqVSuX78+GDZOD7ojbqtnhIaGhsTExEuXLlmt1rNnz1IU1dnZGdQegfnBXPQxZrM5MjKS/vKzioET1K/6q+hjvI7kHPcxTqczPj7e4XDgYk9Pz4oVK7jl+/UxnvUOh0MgEPjqhaIok8mEEDp//nxycrJfnWdtSE0mU2pqKj5IS0sLal+xsbGXLl2ii01NTTk5OUHtEZgfBORj6uvrpVKpSCRSKBR2ux0hZLfb6ZVQc3Mzs3js2DGSJOvq6iQSSWRk5J49e5xOJ5bW09OTkZFBkmRsbOyOHTsGBga8dtrU1CSXy70We3p60tPTBQIBRVE7d+7E33yEkNvtrqyslEgkQqFw586dVqvVarUyNfT0iPiXCNerVCqKomJiYk6cOIFr1Gq1VCqNjIzMy8vDJjMlsMwPXDhCyOVy7d+/nyTJ5cuXV1dXe11jeZqDEHI4HIWFhRRFxcfHK5VKfCFTW6FQKJfLrVZrRUUFRVEikSg/P5/+3WSOJK0wyxBf6j1XL8yZ4zkNfM0oX+1ZnDp1avPmzawBN5lM7733HkmSK1euVKlU3D5GKBSWlpZKJBKJRFJWVuZ1/Ds7O9esWUMXq6urk5OTi4uLk5OT9Xo9s6XXKc1Uz9fcQAiZzebs7GySJKVSqVqt5l6I3LlzRygU9vX1IYSsVmtkZCTzF59JR0cHhxxmA6/Ky+Xy2tpaunF6ejr9BWfenUxMTAwPD3N3BAAIIf/P/B0Oh06n6+rq6unpMZvNlZWVBEFEREQMDg7isINCoWAWP/roI4fD0dPT09vb29vb29fXV1dXh0Xl5OTk5+cbjcbOzs6MjAyBQOC1R46HMX19fYWFhRaLRa/Xx8fHl5SU4Pq6ujqNRqPRaAwGQ2xs7MDAQHR0NFNDbgMHBwf1en1zc3NGRgau6e/vxyYbjcaqqirWJSzzn0t4TU2N0+ns7+/v6OjQarVNTU2eV3maQxBEaWmp2Wzu6+vr6Og4d+5cY2Mj8wPq7OzU6XRmszkpKclqtfb393d3dw8PDzOV93ys5WmIL/UC74Vpu9dp4HVGcbSnuXnzZkVFhVqtZtWXlJSEh4cPDAxcuHDh1KlTdL3YA4IgnE4nSZJ6vb6rq0uj0dTX13tqXltbu2fPHrpIkuSdO3eam5s7OjrefPNNZssAp7RXSkpK+Hz+0NCQRqNpaWnhVjshIaGqqqqsrIwgiOrq6uzs7Hfffder2Pz8/G3btl25csXz1OXLl7dt25afn8+hvFwub29vxw0ePHig0+lkMhle54WGhtKiQkNDX3/99cCNBf67cLug4eFhgiAeP36Mi11dXYmJifQpr7EyfInRaMT1bW1tOIRts9l4PJ7XMLrRaJRKpfjY4XCQJGmz2bwWmQwNDcXExOBjiUSCb/FYyvu9ncTaMuWzTO7s7MQmc8QGAxeOEKIoir7r1+l0XkMcnua43W78S4eL586dS09Pp7vASwGsbUhICL0C6OrqomM+zJHkUN6reoH3whpGz2nga0b5ak9jMpkSExNPnz7N0tntdgsEAuaF9ILA5IHL5eru7qZltre3e46/UqnMzMyk1zcnTpxITk62WCxbtmzJyspCCA0NDUkkEuR7SgcyN7Da9AfKrTaun5iYSEpKUiqVFEVZLBbkA4fDoVKpRCKRXC43GAy40mAwyOVykUikUqnw5+tLeafTGR4ejsezsbExNzeXZQVev1IURf8UAAAHz/c8hrnS5/AxAoGArh8YGMBfSITQrl27UlJSysvL1Wr1b7/9Rrdxu91msxkft7W1bd26lT7FKvb19WVmZsbGxuIoDVbGbrfzeDzPoEeAboAVOg+w5fSE22w2giCo/0ckEtGDQ+PVHLPZzOfz6aLBYMD+leMDYhWZI+lLeV/qBd4Ls9LrNOAYK1/TBpOent7Q0OCps9lsZl0Y+NPvwcFB+jYF097enpiYiIOTGNrfm81miqJUKlV3d3dKSgo+63VKBzI3WB9ogGprNBqCIOhx4MBms8lkMh6Ph4s8Hk8mk9F3CRzK43rcRWZmZmtrK0LIZDLRg2y3200mU3d3d7B3GQDzA94sLpmIn3/++cqVK3q93mw2l5eXb9q06fjx4wRBLFy4cOnSpbgN965lmUxWUFDQ1NQkEAhMJlNWVhZ9auHChbNlx/RxuVwhISG9vb083v+NfEiI93DljJsTyP7vwNWbZR48eNDf3//HH38811U4ysRkdHSUVTM1NUUf37hxo6ioqKOjIzo6mm5vs9nWrVtHEMTSpUubm5tlMllvby8OexK+p/SLwKG2xWIJCQmxWCzcEm7fvl1dXa3VamtqanBNTU2NWq0uLi6uqal54403uJWXy+U//PCDQqHo6elpa2sjCAJHUycnJ0NDQyMiIiIiIkZGRoRC4QtaCvwn4HZB01vHEIygR3t7u9ftnjqdLj4+nlXpdrspiqIDCKziyMgIfV+GJdDKSCQSnU7Hofzjx49DQkKYEbAZXMcELhwhRJKkZ1iPhac5HLGyQFYYrJHkuNH2qt701jFepwF3XNHXtHG73bTyLCGsWFl7eztH0Emj0dBLEIRQW1sbHSuz2WwrVqw4deoU0wosnI44IYQKCwsJgmA9+cfQUzqQuYEl04/NA4mV2e32mJiY06dPi0QiX/tlEEJFRUUkSZaXlzNXYwghq9VaVlZGkmRRURGH8gghl8slEonq6+t37NhBN4iNjWWuddRqNY4cAgA30/cxDoeDx+PRXz+6iH8s8KYvvV6fkpKiVCoRQgMDA1lZWXh/vdFoLCgoYO59xHFhrVa7du1aupJVRAhJJJLGxka73W4wGGQyGa2MSqVKS0vr7+83mUwlJSVardZT+bS0tIKCAovFYjAYMjIyXtDHsMwPUDhCqKioKD09Hd881tXV1dTUMEeAw5yCgoLc3Fyj0ajX61NTU3E0I8Bff9ZIMq9iGeJVvcB9DPNvN16nAbeP8WxPw/HnJJlMxryQI4Zjt9spiqqurrZarX19fWvXrsXD6Ha7MzMzS0tLmX+dwZcUFxdv2rRJr9dbrdbm5ma8RfDw4cPI95R+/Pgxj8cbHBzEAU+vcwMhtHPnTplMNjw8rNfrk5OT/YaeiouL8bbA2traLVu2+GqmUCg4dnwNDw8rFAoO5TF5eXnh4eFnzpyha+j/x4yMjLS2topEoq6uLm6FAQC9iI9BCCmVSqFQiPe80kW8d/no0aOsTagTExNKpXLlypV8Pl8ikSgUCvq5Jd1LRUVFVVUVLZ9VRAhptdr169cLBIKYmJjy8nJaGbfb/dVXX1EUJRAIZDIZvoNjKY//W0eS5Jo1axoaGl7Qx7DMD1A4QsjlcpWVlcXHxwuFwuzsbHx7zmrp1RyOvcu+PiC6yBpJ1lVMQwJRz1cvnssjz2nAPbye7X316Gvvst9NwDjSRZJkYmJiXV0dLZC1vmd6zcrKSqlUKhAIUlNTW1tb8TZirVbLMaUrKyu55wZCyGKx5OTk4L3LR48e9as2SZJ4ueZyuaRSaUtLC0d7v3AojxBqb28nSZK1fbyhoUEqlfL5/NTUVF87pwGAxQKE0MwG3+7evbt27donT55M49pVq1a1tLRs2LDBaxGYNrM/ks87DV5k2swDbt68uXnz5r///vtlKwIAM8ysPvP3y82bNzmKwLSBkZzj6HS6xMTEl60FAMw8c2LX0Pzj2rVrBw4c8HV2cnLy008/hZvW/zjffffdyZMnR0dH//zzz6qqqqKiopetEQDMPOBjgkJ+fr5UKvV1NjQ0lM/nV1RUzKJGwJxjy5YtjY2N8fHxCoWitLR07969L1sjAJh55tbzGA6ZKSkpjx49mkGZM8vY2FhjY+OhQ4cIgnj48KFEInE6nYsWLSII4tGjR6WlpRcuXBAIBAqFora2NjQ09OrVq9nZ2Q8ePHjZigMAAAQRWMfMDHa7XaVS4WOHwyEUCrGDIQhi//79U1NT/f39Go1Gq9XiZiKRyOFwvDR1AQAAZgXwMcFlfHz8/PnzjY2NcXFxq1evVqvVZ86cedlKAQAAzBL+fczTp08///xzsVi8bNmyb7/99tmzZ/jte8eOHUtISIiKitq9e/fY2Ng05OD6y5cvb9y4cfHixWKx+OOPP75//z6uv3///vvvv79kyZJVq1Yxk+l6gvX5/vvvX3vttaioqL179/7zzz90/ZEjR8Ri8dKlS0+ePOlLDaZFYWFhn3zyycOHD7/88kuxWBwdHb1v376nT59ydDQ2NiaVSh0Ox4IFC1jv3HS5XFNTU3w+HxcFAoHT6fQ04ZdffvE7gAAAAK8c/n2M15TyfrPfByiH8J2u/7kStnOkkWel1n/BDPleO+JI9R8REZGamlpVVTU5OfnkyRP8IkXPweHIxw4AAPAKw/0XTa9psoZ9ZL/HeP1zu690WyzodP3PlbCdO408M7X+C2bI58g/z5EBbGBgICUlhc/n4xyC+FXHnplpPPOxAwAAvOr4WceMjIxMTEwkJCTgYlJSEv6dJUlyyZIluDI+Ph7nhJ+GHIIgrl69un379ri4OLFYnJaW5nK5cHuCIJYtW0a3p0XFeUAQhEAgYDY2Go34mCTJqKioQNQgSTIiIoK2KDw8fPHixbgYGxtLv1XTV0ccrF69+urVqyMjI7W1tevXr9++fbtnm7CwsEOHDg0NDU1MTKxZs8avTAAAgFeCl//MXyaTbd68WavV6nS6Cxcu+G3vNVY29xEKhfX19dXV1b4a3L59G6e/pPOxAwAAvOr4ySUjkUj4fP5ff/2F7/0HBwc5/lo4DTmjo6Nms/mbb77BzejlgkQiIQji3r17eNFgMBhoUTqdjiXc7Xa7XC5m4+XLlwfJnAA78gSn7P3www+9nj1w4EBra2thYaHBYKBfXgIAAPCq42cds3Dhwl27dpWVld27d+/GjRtKpTIvLy8QueP/hiAIr3LEYrFIJPrxxx/HxsZu3bqlVCrpfrOyssrLy+/fv4/b05K9xsoIgmA2zsnJmVlzmHjtiKIol8t169YtgiBCQkLcbjfzkmfPnh09epRphdvtpt8DRhCEw+HQ6/XHjh0DBwMAwLzC7xMbz5TyfjO9e/bS1NTkNTU98p2uP/CE7QGmkfdljmdL7tz1vvLP0xnyXS4X68VWLS0tqampTDXOnj2bnJzsb+wBAABebWY+l8zsM2tp4QPv6IsvvtDr9RcvXvR6dnx8PCkp6fDhw5999tlM6wgAADCHmFu5/ecNarXa87kRzaJFi1pbW995553ZVAkAAGD2efn7yuYloaGhb7/9NkcDcDAAAPwXAB8DAAAABIv58DwGAAAAmJvAOgYAAAAIFuBjAAAAgGABPgYAAAAIFuBjAAAAgGABPgYAAAAIFuBjAAAAgGABPgYAAAAIFuBjAAAAgGABPgYAAAAIFuBjAAAAgGABPgYAAAAIFuBjAAAAgGABPgYAAAAIFuBjAAAAgGABPgYAAAAIFv8DV65giKXOSYMAAAAASUVORK5CYII=) --- Research's Comment: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAGL0lEQVR4nO3bX0hTbRwH8MexctpZbWPTVQtnFyER0cUIhWUkQTVExiwNGikEXUiCnIuQBTaKkowgZP25KNBu6iJkxIiIQBjShck8DP/FpObCXKHT2VrHQXvei/O+h8Pc5njrvPrm93N1zu/8OOe33Xx9nuOKKKUEAABABor1HgAAAP5YyBgAAJALMgYAAOSCjAEAALkgYwAAQC7IGAAAkAsyBgAA5IKMAQAAuWzQjJmZmVGr1ev1FLEubchojsfj3d3dck8IAPC/tkEzZn1VVFTMz8/nLy4tLd28efO/nQsA4H8GGZNdcXFxgUUAAMhljYz5+PHjtm3bRkdHCSELCwtarXZwcJAQ8u7duyNHjqjV6t27dzc2Nk5OTuYqipqbm2/cuCGe1tTU9Pf3Z2xAzczMaLXajBmEnjt37lRWVmq12nPnzsXjceHSysrKhQsX1Gp1RUXF1atXf/78KfZ3d3cbDIadO3c+fvxYmK2mpqakpMRgMJw5c2Z2dla8/61bt8rLy7VabUtLy48fP0iOPTRpMR6Pm83mRCJRVFTU399/7969EydOiJ1XrlxpaWnJ/8UCAGwGa2RMZWWly+Xq6OgghHR1ddlstmPHjhFC6uvrW1tbI5HI0NCQ1WpVqVS5iqKmpiav1yscz83NcRxnt9sLnDKRSASDwbdv3w4PD0ciEZfLJdSvXbuWTCaDweCrV6/8fv/Dhw/F/qmpqbGxsb6+PqvVSggJBAIXL16MRqNjY2Mmk+nSpUti58g/AoFAT09PIfPs2LFjamqKYRie551Op91u9/v93759E66+ePHC4XAU+NEAAP5kdC2pVKqqqsrtduv1+mg0SimNxWJKpZLneWlb1qJUMpncvn17JBKhlN6/f7+hoYFSGg6HGYYRe8LhsEajyaiHw2FCyPLysnA6NDS0d+9e4Viv1ycSCeGY47jDhw+L/bFYLNck09PTRqNR7BRGopQODAxYLBbp0zPGyBhVelpdXf38+XOxnud7AADYPJRrhtCWLVs8Hs/x48d7e3vLy8sJIVqt9vTp09XV1XV1dbt27bJYLEePHs1alN6npKTEZrN5vd729vaBgYHW1tbCg5BhGHGfymQyxWIxQsji4uL8/LzZbBbq6XRaqVSK/Rl7bqOjo5cvX56YmEilUul0Op1OC3WVSrVnzx7huKqqKhKJFD6VlN1u9/l8jY2NPp/PZrPhzQ0AACnwnX80GlUoFNFoVKw8ffr00aNHBw8eTKVSLMu2t7fnKkoJ22WLi4vDw8MNDQ2/ODrP8wqFYmRkhOM4juOCwSDHcbma7XZ7bW2t3+/nOO7ly5e/+OjVHA6HcFufz4eNMgCAv6250llaWjIajc+ePdPpdBMTE6sbOI4zmUyFFHme1+l0d+/edTgcQmV5eVmhUEj3wbLulWXdT6OUMgwTCAQynpLRTyn9+vWrUqmUziY+hUj2yrxe77/eK6OUHjhw4M2bNxqNRvw4AACb3NrrGJfLVVtb29zczLJsW1sbIWRycvLUqVODg4MLCwufPn3yeDyHDh3KWsy4VXFx8cmTJ7u6us6ePStU1Gq1xWJhWfbLly+hUKizs1Oo63Q6nuffv38v/KtYLk6ns62tbXx8fG5u7vbt29evX8/aZjAYdDrdgwcP4vF4KBRyu93SqyzLzs7Ojo+Pu93u+vp66aU8Y+j1ep7nQ6GQWHE4HCzLWq1WYVtvZWUlz+QAAJtC/ggaGRlhGEb4S5/nebPZ/OTJk1Qq5Xa79+3bt3Xr1rKyMqfTGY1GsxZX39Dr9TIMk0wmxcr09HRdXR3DMPv37+/t7RXXKJ2dnaWlpX19fXnWMTzPd3R0mEym0tJSm8324cMHmm2FQSn1+/0Wi0WlUhmNRpZlpaulnp6esrIyjUZz/vx5YTDpHXKNQSl1u93CJeFU2KkTTrPOAACw2RRRStc75v4Q379/1+v1nz9/Xv0THwCAzQm/8/9tXr9+bbVaETAAACJkzO8Rj8c9Hk9TU9N6DwIAsIEgY34P8Y3Oeg8CALCB4H0MAADIBesYAACQCzIGAADkgowBAAC5IGMAAEAuyBgAAJALMgYAAOSCjAEAALkgYwAAQC7IGAAAkAsyBgAA5PIXp3nmTN3tIngAAAAASUVORK5CYII=) --- **Screenshot:** ![acfurniture.com vulnerability](/twimages/screen-1074365.jpg) **Mirror:** [Click here to view the mirror](<http://1074365.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 25 January, 2020 04:11 GMT ---|--- Vulnerability Verified:| 25 January, 2020 04:20 GMT Website Operator Notified:| 25 January, 2020 04:20 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 25 January, 2020 04:20 GMT