Lucene search

K
openbugbountyGeeknikOBB:1090868
HistoryFeb 13, 2020 - 3:51 p.m.

vilniausfutbolas.lt Cross Site Scripting vulnerability

2020-02-1315:51:00
geeknik
www.openbugbounty.org
7

Open Bug Bounty ID: OBB-1090868

Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:

&nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence;
&nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence.

Affected Website: vilniausfutbolas.lt
Open Bug Bounty Program: Create your bounty program now. It’s open and free.
Vulnerable Application: Custom Code
Vulnerability Type: XSS (Cross Site Scripting) / CWE-79
CVSSv3 Score: 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N]
Disclosure Standard: Coordinated Disclosure based on ISO 29147 guidelines
Discovered and Reported by: geeknik
Remediation Guide: OWASP XSS Prevention Cheat Sheet
Export Vulnerability Data: Bugzilla Vulnerability Data
JIRA Vulnerability Data [ Configuration ]
Mantis Vulnerability Data
Splunk Vulnerability Data
XML Vulnerability Data [ XSD ]

Vulnerable URL:

![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAP/0lEQVR4nO2df0wb5R/Hb6zDAgcDBoVBFygathDCloUgS1DntmwLElIZYzrRoZJJFmaQLJOxBBGVTRxzkkmM0QT4x8UshBBiJiGaNAtRQHZig13DECqDhpSfVlZYx33/uHwvt7vnefoUehTc5/VXn+tzn+fzfJ47PvTT6/vZxPM8AwAAAAAqEOBvBwAAAID/LJBjAAAAALWAHAMAAACoBeQYAAAAQC0gxwAAAABqATkGAAAAUIt1kWMMBsPvv/+OawIqAXEGAEBt/J9j/vjjj+Xl5d27dyObgEpAnAEAWAM85JjR0dHQ0FDkW3Nzc5cuXcI16Wlvb8/NzcU1kc4QvEL29yHvvfdeUFBQc3MzoY80FN764BOfZUaQS0OIs0oQpjYzM/Pmm29GR0fHx8e///77Dx8+XNkQNKtDcGx0dDQiImJlQ68MyuVe8c0FAP6HJzIyMsKyLM1bhJ5kMjIyOjs7cU0ZLpfLq7GE/r7C4XAEBARwHOd2uwndpO55G5YVh5FgBGmTHGc1IEwtNzf35MmTY2NjFoslKyuroqJiBfYpV4fg2MjISHh4+AqGXg00l6hPrgoA8At+rpVNTExYrdb9+/cjm0qeeuopr+x725+M0+kMDg7evXv35s2bfWh27fEY57XkwYMH/f39X3/9dXx8/M6dO69evXrz5s0V2Fnx6mg0muTkZOmLtcS3lygArDeocswXX3xhMBi2bdv2+uuvz83NMQwzNzeXmJjodDo3bdrU3NwsbV69ejU0NPSzzz6LiYmJiIg4derUgwcPcJbb29sPHz68ZcsWWfPEiROffPKJ2G3fvn3Nzc3IwoJwsL6+3mAwREREvPbaa4KHzOOFiN7e3n379gUFBUVHRx8/fvz+/fuMolIhLZX09vY+99xzoaGh8fHxx44d+/PPP6empqRTxp0ri4zw7qeffqqMxr///vvOO+9ER0fv2LHjww8/fPTokTI+SLeR7uEijPRHGnakqcXFxbfffjs0NDQhIeGDDz4QfSOE8dKlS9HR0du3b//2228Zhnn06NGFCxdiYmJCQkKOHz8+NTUlWFBeS0FBQX///XdISIjQYWhoKC4ujmGY+/fvHzlyJCQk5Omnn/7888/JVSzZ6uBiizweHx//22+/CS9+/fVXoeePP/5IGE7aAbcWyggoAyW9ioTXyhsHuYIAsFHwnGOcTifHcd3d3T09PePj4xUVFQzDbN261WKxsCzrcrkKCwulzZdfftnpdPb09PT19fX19fX399fV1eGM476MKSgoaGtrEw5OTExwHGc0GgkeDgwMCB7abLbKykpln/7+/tOnT9vtdrPZrNfrS0tLybPOyckpKiqy2Wy3b9/OysrSarXbtm2TThl3oiwygnt9/0cajXfffXd8fLy/v//WrVvt7e2NjY30bivdo/eHeTzsSFM1NTULCwsDAwO3bt0ymUxfffUV2R+n02mxWMxmc1NTU1ZWFsMwdXV1XV1dXV1dVqs1Li5ucHCQwVxLUu7evXvu3LkrV64wDFNaWhoWFmaxWDo7O5uamsQ+0QoYhpGtDi62NDEXKCoqOnjwoJB7ZPT29h48eLCoqIi8FrgIyAIlBXnjIFcQADYM5FLayMgIwzDz8/NCs7u7OykpSXwLWfQXTrHZbMLx1tbW9PR04bXNZktMTBRPcTqdLMtOT08rmwsLC2FhYYKRxsbG3Nxc2RDSLzykHt6+fRvnocjQ0FBsbCxyCkI5fnp6WqPRKAvlhC9apKV8pXvKaLjdbpZlh4eHhePt7e2ZmZkEn6Vu49xD+qlsSuOMMxUVFeV0OoXXHMdlZGQQ/BHmKK6jgE6n6+/vl3mFu5YExsbGkpKSbty4wfO82+3WarXSuInhHVMgmyYutrjjSJxOZ21tbWRkZEFBgdVqFQ5ardaCgoLIyMja2lohPoS1wEVAGiiaS4WH72OAjYzGYxJiWVb8OB8XFzc9Pe3xFK1Wu2PHDuH1rl27bDabeHp3d7fYrbOzMyMjQ6yBSJtBQUHZ2dltbW1nz55tbW0V/2f06KFer0d6eOfOnfPnzw8ODi4tLS0vLy8vLxMMRkRE5OfnZ2ZmHjhwIC4uLj09/YUXXvA4axzIaExOTi4tLRkMBvG48CeGxu1VuieNM9LUzMyMw+FITEwU+i8vL2s0GoI/DMOwLCutZc3NzU1PT6elpcmGJl9L+fn5ZWVlJ06cEOLDMIw0bmK3+Ph48gRxsaWMuUBISMiFCxdKSkreeuutlJQU4VG3lJSUnJyc4eHhrVu3Ct1wa0GIAKHoh7txAGDjsqbf+W/evHn79u1ik/zUslAum5mZ6enpWf1Ttkaj8fnnnzeZTBzH/fDDDx77f/fdd998801aWtrS0lJ5efnZs2dX6cDKwLm9GvdkcVaacrlcAQEBfX19HMdxHDcwMMBxHNkfJF599z4xMTEwMEAzEWStTA3u3btXWlpqMplqamqEIzU1NSaT6cyZM/fu3RO7EdZioz8bAgA+gPwxh7IixONrZW1tbeJHfilutzsqKkosXMiaPM+7XK7IyMhr167l5eUph/CqZjU5OanRaMQ+HMcJfebn5wMCAqR1NuSjqxzH6fV62ViEcwkFEDEaNLUynNs496RBwNXKlHFGmmJZVlbnIfiDrOTodDqO48heSafjdrulXslqZW1tbWtcKyspKWFZtry83OFwSI87HI6ysjKWZUtKSpRnSdfCYwR4uksFeSIAbBRWnmOcTqdGoxFL1WJTuFXy8/PHxsbMZvOePXuqq6tFC2Ll2mQypaamisdlTYGTJ0+GhYV9//33Mmfm5+c1Go3FYnG73ZRZUKfTNTY2zs7OWq1Wo9Eo9snIyCguLrbb7VarNSsrSzg+ODh49OjRn376yeFw2Gy24uLinJwcZTSQ58oiQ4hGcXFxbm6uzWYzm8179+5taGiQTQ3nNs49MbYyI1J/ZHHGmSopKcnMzDSbzePj43V1dTU1NYQwIv8C1tbWZmRkDAwMjI2NCZ8GyDmGV/xSxGg0SuPm8ZcrUvvI2BKOKyksLBwZGSGMVVhYSAggTQR4VI5BXiqyew0ANhArzzE8z1dXVwcHBzc1NUmb9fX1LMtevnxZp9OFh4e/8cYbCwsLSmvnzp2rrKwUTcmaAm1tbSzLIk+vqKgQhqbMMSaTKT09XavVxsbGlpeXi32GhoYOHDjAsmxKSkpDQ4NwfGlpqbq6Ojk5OTAwUKfTFRYW2u12ZTSQ58oiI5xSV1enjIbT6Tx9+nRUVJRer6+urhZ/OShODec20j2Zb1IjUn9kccbN1OVylZWV6fX64ODg7Oxs8X9/pD/IHON2u8+fPx8VFaXVao1Go8PhIF9LypQzNjZ2+PDh4ODgpKSkK1eueJVjcLHFHV8xuADSRIBX5BjcjcMr7jUA2Chs4nnet8W30dHR1NTUf/75h9xt586dLS0tzz77LLIJqMQGjfPo6OiePXtmZmb87YiKUN44ALCx8PxcmUrcvXuX0ARUAuIMAMBa4mctGVD1X4f4fRX87gAAAL7CnzkGVP3XIX5fBb87AACAD/F9jklISKCsKdOr+vsQXwn+q7FxgAy/KLpLV2FxcfHVV18lTFONICAvg4SEBK++jKFxbA3C69WuAfQ3DgBsIPz5OcYvOWYDMTs7W1tbu8aDiquwuLh49OhRt9tN6JyQkOBwOFRyYDXQOOaX8ALAk4bfcoy3qv7AGiBdBbvdfujQIUGekoBvpel9eBmsB818/+4aAADrAc85Rild7pWWOw6cqj+DEWDHKZ8zKCF6guC/gFJsn6DzPzEx8dJLL4WGhhoMhvr6emnRg160H2cf56pM0f3LL788cuSIePrFixdPnTolC6lyXORKEaYjXYWEhISLFy+SF1G2e4JS4p5eIV/pANIgjWA+83iRilIwn97Vv/76KyQk5M6dOwzDTE1NRURE/Pzzz8hTkLsGAMATheccg5Qup9RyJ0hLEQplOAF23JYBSCF6guA/TmwfR2lpaWBg4NDQUFdXV0tLi0c79ALyoh2lqzJFd6PRaDKZxHp9e3t7Xl6ezA5yXOVK4aajXBSvQF4n9Ar5SgeQBtUTzKd31WAwVFZWlpWVMQxTVVWVnZ394osvMmsopAYAGwnyTzSR0uWUWu48XlqKoOpPEPJiMMrnSiF6suA/0g7uV+iCcJbojygyv0rRftE+/d4EmZmZN2/eFI/LFgU5rnKlcNNRLgrSBxniuziJe0qFfKUDOIM0gvlSx+gF871ydWlpadeuXdXV1VFRUeIP+3FXOwA8yXj4DSZOupxSyx0nw05Q9ScIsCOVz3FC9ATBf68U1CcnJ5eXl6X+kO14JSAvQLM3AcMwRqOxo6Pj2LFjHR0d2dnZsu8bcOPKVoowHdmieAXuOqFUyFc6gDSoqmC+V65u2bLl+vXrhw4damhoiImJEQ563HQAAJ5APNfK6GXklUrmuOqBD58oIwjR/8fIy8sT5PQ7OjqUhbLVs8oHunDXCaVCvtIBnEH1BPPpXWUYxm63BwQE2O128QjUygAAgVefegTpckotdx5TPSCr+lPWyqTK50oherJQJtIOTqtfKC6JEry4WplH0X6cffrdE3ieT01N7erqCg8PF+2I4GplMgu46eA0/ylrZTJEiXt6hXzKTQdoBPN5fK2MIJjvlZj/7OxsbGzsjRs3IiMjBwcHhYNQKwMAJR5yDFK6nFLLHWfTo6o/UoCdoHyuFKL3mGOQdnBa/fn5+UajcWRkxGw2p6WlSXMMvWg/zj797gk8z1dVVaWlpYnq8fzjevjKcZErhZwOcm8FpXuyEcV3cRL3lAr5SgdwBmkE83lFjqERzKd3lef5M2fOFBQU8Dz/8ccf79+/H3cWAAAecgyNjLyAUskcZ9Ojqj9SgJ2gfK4Uovf44QApto/T6rfb7Tk5OSzLJiYmXr58WZobvBLtR9r3avcEoQwoNpXfWsvGRa4UcjrIvRWQ7iGbBIl7Sig3HaARzOcfzzE+F8zv6+tjWVb4bORyuRITE1taWryyAABPDt7VynxCcnLyL7/8gmviWCdbAVosFp1O56/RnU6nVquVPUO1GsTpUK6CDB8uysoc8Mg6uWwA4InFD9r+G1rVn+O4pKQkf43e2dmZlZW1ske/kIjT8fsq+N0BAADUwG/7x2wgPvroo7i4uNzc3OHh4crKyqqqKr+4MTc3d/369VdeeWWVdnw1nYcPH3Z3d+v1+lX6AwDAfxl/f5CixY9FD5PJtHfv3sDAwGeeeebatWt+8YHn+cDAwLy8POXPEr3FV9MpKiqKjIxsbW1dpT+qArUyAPAvvt9rGQAAAAAE/LwPJgAAAPAfBnIMAAAAoBaQYwAAAAC1gBwDAAAAqAXkGAAAAEAtIMcAAAAAagE5BgAAAFALyDEAAACAWkCOAQAAANQCcgwAAACgFpBjAAAAALWAHAMAAACoBeQYAAAAQC0gxwAAAABqATkGAAAAUIv/AQCEL5YaCXTrAAAAAElFTkSuQmCC)

Screenshot: vilniausfutbolas.lt  vulnerability

Mirror: Click here to view the mirror

Coordinated Disclosure Timeline

Vulnerability Reported: 13 February, 2020 15:51 GMT
Vulnerability Verified: 13 February, 2020 16:00 GMT
Website Operator Notified: 13 February, 2020 16:00 GMT
a. Using the ISO 29147 guidelines
β€” β€”
b. Using publicly available security contacts
c. Using Open Bug Bounty notification framework
d. Using security contacts provided by the researcher
Public Report Published
[without any technical details]: 13 February, 2020 16:00 GMT