Lucene search

K
openbugbountyKun-flyOBB:1103749
HistoryFeb 25, 2020 - 9:29 a.m.

arsenal-ekb.ru Cross Site Scripting vulnerability

2020-02-2509:29:00
kun-fly
www.openbugbounty.org
7

Open Bug Bounty ID: OBB-1103749

Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:

&nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence;
&nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence.

Affected Website: arsenal-ekb.ru
Open Bug Bounty Program: Create your bounty program now. It’s open and free.
Vulnerable Application: Custom Code
Vulnerability Type: XSS (Cross Site Scripting) / CWE-79
CVSSv3 Score: 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N]
Disclosure Standard: Coordinated Disclosure based on ISO 29147 guidelines
Discovered and Reported by: kun-fly
Remediation Guide: OWASP XSS Prevention Cheat Sheet
Export Vulnerability Data: Bugzilla Vulnerability Data
JIRA Vulnerability Data [ Configuration ]
Mantis Vulnerability Data
Splunk Vulnerability Data
XML Vulnerability Data [ XSD ]

Vulnerable URL:

![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAOt0lEQVR4nO2cb0xbVRvAL6WUO3ZboCt1QMlaFtmCCyJBZJPhwpJJkBBExKh1ECRYCcOGEMOQILLIEGGBQho+zISRiYtZCPIBceJiKiGTMeyw1kqQdE3XYUEmpGKFwn0/XD3vzf2/jlre1/P7xLnnnOffufc+vc89lxAcxxEIBAKBQAKAKNgGQCAQCOT/FphjIBAIBBIoYI6BQCAQSKCAOQYCgUAggQLmGAgEAoEECphjIBAIBBIodkWO0Wg0t2/fZmtCeIER24Xcvn37zTffDLYVkL/Y3Nx8+eWXf/nll2Ab8q8j+Dnm+++/397efvzxxxmbEF5gxHYnZWVlarU62FZA/iIsLEwikdTV1QXbkH8dPDnmzp07UqmUsWt1dfX8+fNsTeGMjIwUFBSwNYMLh/t+zPJPGi9ExIDwO3fuREdH77gWIZSWlj5J4umnn/ZDyA5Gyb9Q+G0A+RL49ddfZ2dn9Xo9XWBPT8/BgwfDw8OfeOKJzz//nKI65G9CQ0M1Gs25c+e2trYoXYDu7m6iKzQ09JtvvqGIAr5T5iYkJJw9e3Zzc5PNX0rcenp6NBrN3r17n3rqqa+++orRWrpYXk85lPJ6RA9FSEjIjz/+CAZ//PHHhw4d2traIivS6/Xj4+MI5B8G58Rut2MYJqSLYyQ3GRkZ165dY2sGF/+cYpvld4i4ISIGhNvt9qioqB3XIoT09HSOpkB2MEr+hcJvA8gT2f42GAxqtXp8fNztdg8ODsrlcpPJRJHg9Xq9Xu/6+rrZbM7IyGhpaaF0AXw+H9GFIEhiYqLH42H0nSLWYrEcO3assbGRzV/yXIPBkJiYeP369eXl5atXryoUiomJCSFihXjKppTXI0KpzWaLiooi/j5z5szp06fB4JSUlP7+fo6FgPxjBDnHuFyuqKiojY0NxmbQ2f05BkTM6XSmpaXhOO50OjMyMnZWi0BgjmG8nYGlwXE8Li7u+vXrYEpXV1d+fj6H6omJieTkZG6r7HZ7REREWlqaTqcjH6TkGPKUycnJw4cPs/WS51IM7uvrAwZzi31QTykGc3tEP+JyuTAMs9vtOI6Pjo4mJiYSCZgcfJhjgoKg9zHd3d0ajWbfvn2vvfba6uoqgiCrq6tqtdrj8YSEhFy6dIncvHDhglQq/fDDDx955JHo6OjS0tI//viDTfLIyMipU6fCwsLozZs3bx49enTPnj0xMTEvvvji3bt3kb8fsc+fPx8TExMbG/vRRx8RI48fPy6VSuPj41944QXikfnPP/98/fXXpVLpgQMH3n33XVBwkEqlnZ2dGo0mOjr61VdfJdxhU8cLoxYyP/zww759+8hP/R988AFHZOgOUqoKlDoGiFh8fPytW7cQBImPj//222+J3i+++ILXBTCGHsaXXnrp/fffByOPHj166dIlBEHu3bv33HPPSaVSjUbT2dnJW4/6/fff33jjjZiYmISEhPfee493LYRMZ1uvu3fvPvvss1Kp9NChQ4ODg9yGCVl0jhOJvEyUK4IsASzN6uqqy+XKysoCXdnZ2VarlcNCFEV9Ph+3FwiCiESigYGB/v7+L7/8kncwgiASiWRjY4N3GN3g8vLy3t5eXrF+eErhQT2KjY0tKytrb29HEKStra2+vj40NBQhBZ+OkKsD8vDw5xiPx2M2mycnJ6emplwuV319PYIgkZGRNpuNeFLWarXk5vPPP+/xeKampqanp6enp2dmZoiFZ4TjZczMzExlZeXi4qLFYlGpVNXV1cAem81msVj6+/uJkzg/P7+srMzhcExMTGRlZaEoiiBIS0vL+vr67Ozs2NiYyWTq6+sD02dnZwl3HA5HQ0MDtzpu2LQQrK6uFhUVtbW1HT9+HGif/hu2yNAd5ID79VVZWdnJkyfZrrGbN2+ePHmyrKyMaNLDWFJSMjw8TPTeu3fPbDYXFhYiCFJdXS2RSObn58fHxwcGBrgtRBCkpqbG5XLNzMyMjY2NjIwYjUbgKeNaCJnOtl7V1dUymcxqtY6OjpJzTAwNDiFkOE4k8jJRrghGRzweD4qi4BcVgiAymWxtbY0tbktLS42NjUTMeXnssceam5vLy8vZUjXg/v37TU1NFRUVvDLpBoeFhR04cIBX7IN6yohwjwjq6+sHBwc/++wzu90OzmoOuK8OyI7B/ZhDFEbX1taI5uTkZGJiIuhirJURUxwOB3F8aGgI1EwcDodarQZTPB4PhmErKyuMTTLz8/P79+8HwsljVlZWxGKx1+ulTFEoFKCYS9S16e5MTEwAd9jUcT9cs2khZuXl5VVVVZFDxBYZyhiyg/Q4g/oAR8TAgNbWVrlcXlJSMjc3B47Pzc2VlJTI5fLW1lbCfsYwrq+vy2QywmCj0VhQUIDjuM/nQ1F0YWEBeAHsYayV+Xw+DMPA+JGRkczMTJx9LSj+sk0nA9aLsI0cYWCbkwabEIoBHCcSJfK8pX/6wYWFBXL9hxCrUCgUCoVcLkdRVKfTEYtC7iKorq6miPX5fJmZmcRrCfrrDSBWJBLl5uZyWAXmkrvq6uoICeQ7AJtYIZ5y18q4PaJPIdDpdCiKGo1GnAmKUrarA7KziHmTEIZhoFYTFxe3srLCOwVF0YSEBOLvw4cPOxwOMH1ychIMu3btWkZGBqi0UJrffffd22+/bbVaNzY2tre3t7e3gT3k4kx0dHRxcXFmZmZOTk5cXFx6evozzzxz//795eVlsHN0e3tbLBbT3VGpVMAdNnVkiB+/BEtLSxxaEAR55513xsbGLl68KCQyZCgOckCJGJ29e/eePXtWp9OVl5cnJyeDPT/Jycn5+fkLCwuRkZHEEcYw7tmzJy8vb3h4+MyZM0NDQ8RvQ7fbvb29rdFogBfcRrrd7o2NDfJ44t6EsK+FkOmM6+V2uxEEIUcYyImPj6cL51107hPpQTeticViSuGLcs4gCBIREWE2mxEEEYlESqWSKPhQukCTIj80NHRgYCA1NbWoqCg1NZVRLIIgCwsLer2+u7v7rbfeEm5wY2OjXq93Op25ubm8YoV4KgQOjxipqqrq7+8vLy8XIpzt6oDsLA+86g9DaGhobGwsaHLvWi4sLKyoqOjr60NRlHJmU/jkk09u3bplsVhcLldtbe2xY8caGhpEItH09DQ4rUUinqqgEHXkKxxBEK/Xy6ZlfX19aGjoypUr1dXVRUVF4Fa+swjZ5/3zzz83NTWZTKaWlhZwsKWlpaOjo6qqqqWl5eDBg8RBehh7enpKSkp6e3u1Wu3U1NTQ0FAgvPAP4acHAfn3AcHS0hKvEI4l9gOikra5uQmKSGtrazKZjDxGJBIxpkPuLsCjjz7a2tpaWVk5OjrKNjc+Pt5gMJSXlxM5JiIiwuv1bm1tgXzm8XiIBEY2ODIyMjIy0u12k3Mbm1heTzmUCvSIEZlMJhaLw8PDeUcSMF4dkB2G+zGHo1AjsFY2PDzMuL/I5/MpFApQA6E03W63WCwGg81mM/3hnRGz2axSqXAcxzBsZmZGoDt+q2PTIhaLrVYrjuP5+fnkmgZvZOga19bWRCIRuaZE2EaJGCM6nQ7DsNra2uXlZUrX8vKyXq/HMIy8dQcAwuj1euVyeVdXV1FREdFF1KOIDTz4w9XKGNdCSK2Mbb0otbLh4WGOWpnARRdyItEPsp05lN1WBoOBe7eVf10nTpzIzMzk2Fd248YNcpVYqVSCHck4jhuNRlD1iouL+/rrr0FXR0cHR0GMLJbbU26lvB6BYfQjHBcspZfj6oDsIP7nGI/HIxaLQR0TNIk7aXFxsdPptFgsqampzc3NQAKo+JtMpiNHjoDjlCaO40ql0mg0/vbbb3Nzc4WFhWw3favVmpubS+zfdzgcFRUVxKms0+kyMzOJX+Xt7e3kjwwY3WFUt7a2JhaLbTYbsQ+SDq8Wm82Goujs7Cz+d45hjAwIC+NFkpGRUVFRsbi4ODc3l5WVRdhGjxgdrVYLkgEjdrtdq9VyhBHH8VdeeUUmk3366adgVnFxcWFhod1ut1gsKSkp3DkGx/GKioqCggKHw2GxWNLS0gwGA91TsBb0mDNOZ1wvHMcLCwvJEebeuyxk0YWcSATkK8LhcKAoStcIvhpZXl6+cuUK71cjlC6272PoLz8wDGP8Psbr9Vqt1uzsbPKbwt7e3qSkJJPJRHwEI5fLwd0ffB/jdrsvX74sl8snJyeFiOX2lFspr0dg2APlmPn5efJ43qsDsiP4n2NwHG9ubo6IiCC+dQLNzs5ODMPa2tqUSmVUVNTp06fX19fp0urq6hoaGoAoShPHcZPJlJ6ejqLo/v37a2tr2XLMxsZGc3NzUlKSRCJRKpVarXZxcRHHca/Xq9frVSpVREREXl4e8UOYwx1GdTiO19fXk32kIERLTU1NdnY2ON7e3k6JDO/v3/n5+ZycHAzDkpOTDQYDYRs9Yg8DWxhxHB8eHsYwDCwijuOLi4v5+fkYhqnV6ra2NnKOIUP+OVJZWalQKFQqVXNzM+OdkbwWlJgzTmdbL6fTeerUKQzDkpKSOjo6uHOMkEUXssQAcEV4vV4URRnfJBN3bYlEkpqaOjo6Su7izjH0IkRXVxfbrL6+Pso7f4BSqaysrARPxgQXLlxQq9USieTIkSNDQ0MUg4mutLQ08qMJr1gOT7mV8noEhj1Qjrl69WpKSgpbLyRA8OQYPxD4oVNSUtKNGzfYmhBedknEbDabUqkMthW7kZqampycnGBbAfkLr9erVqsvXrwYbEP+dfyj7/zJ/PTTTxxNCC+7JGJmszkxMTHYVuxGOjo6KJtEIEEkPDz88uXL/v0PPcjDELQcA/nf5dy5c3FxcQUFBQsLCw0NDU1NTcG2aDcSFhb25JNPBtsKyH+BCSYoBP9/+0P+5zhx4oTRaFSpVFqttqamprS0NNgWQSCQXUoIjuPBtgECgUAg/5/A5xgIBAKBBAqYYyAQCAQSKGCOgUAgEEiggDkGAoFAIIEC5hgIBAKBBAqYYyAQCAQSKGCOgUAgEEiggDkGAoFAIIEC5hgIBAKBBAqYYyAQCAQSKP4DaEz4OrwwSDQAAAAASUVORK5CYII=)

Research’s Comment:

![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAKw0lEQVR4nO3cbUhT3x8A8OsSnfM6H9Llw8zZg4WYSIgoSNgDFEtklT1glj0M7UVPCIVZmSlp2QMkNiR60S96FTKGSEgsiGEiJmvJCBMxXXYzW7XZXFebu/8Xhw73v93dbf6c2q/v59W9d9/O+Z7zPdtp96pBDMMQAAAAQAAIFjsBAAAA/1mwxwAAAAgU2GMAAAAECuwxAAAAAgX2GAAAAIECewwAAIBAgT0GAABAoMAeAwAAIFC87zE/fvw4c+ZMSkpKWFjYunXrbty4MTs7Ozo6GhERMS8ZzGNT88hqtTY2NqLjec9wwYbs3tHo6Gh0dDQ+DmJJTk6+cOHCr1+/FjhJX7CT8XT8L7ErDgCYL973mGPHjplMpmfPnplMJpVK1dnZqdfrU1JSzGbzAuS3WCwWS0NDw2JnEXAkSdI0TdO03W5/+vTpixcv6urqFjspDguw3v6SigOwwIL5X/7586dGozGbzZGRkQRBbN26devWreil0NDQgGcHAg/XccOGDbdu3VIqlfX19YubEidYbwD8ibx8j3E6nQRBBAe7bkXu9ytu376dmpoaHh6+f//+r1+/njt3Li4ubvny5UePHp2amsJhN2/eXLFiRXR0dFlZ2c+fP12avXfv3vbt2/HpxYsXy8rK2AFTU1MVFRVxcXHJyclXr16dnZ3lb3l6evr48eMREREpKSlXrlxhx6OEo6OjDx48aLVa2b1YrVaZTGaz2YKCgv755x908e7du6mpqcuXLz906BA7nrMLtlevXuXl5YWFhcXFxe3du/fjx4/o+o0bN9wT5hzg/v37r127hhvMy8tDWXnt2l9CoZCmaR+DOYvFUyAcyb5fh+3atevmzZvo+M2bN6GhoXiSKyoqKioq/L0n9unTp507d0ZERKSmpt6+fRv3yDlpnBVHPJUPj8XT2vNrrXqaIl/eNQAsZV72mPDwcLlcfuDAgZcvX6KtgpPNZjMYDF1dXQaDgaKo9evXm83m/v7+np6ekZGR6upqHNbb29vX19fX16fX65uamlzaUSgUOp3ux48f6LS9vX337t3sgNOnT1MUpdfrOzs729vbVSoVf8t1dXV2u72/v7+zs1On07W2tuL4/v7+7u7u3t5ek8mEM0QiIyMHBgbQfaTS0lI8QBRPUVRVVRUO9tQFptfry8vLx8fHjUajVCo9efIkarDvN3bCnAPct2+fRqNBAZ8+fTIYDAqFwpeu/WK1Wmtra+VyuY/xnMXyVCCvCgsLtVotOu7o6HA6nZ2dnehUq9Vu3rzZn6EQBEGcPHkyJCRkaGhIq9U+evQIX+ecNPeKY5zlY/O09vxdq574Gw/A0sJ4Mzk5WVVVlZaWFhwcvGbNmtraWofDMTIyQpIkChgZGSEIwmKxoNOuri6BQGC329Fpd3f3mjVrcJjJZELX1Wp1dnY2uo6bYhgmNze3ra0NX6dpGr/kcDhIkhweHkan7e3tubm5PC0zDBMbG2uz2dCxwWDIycnB8ZOTkzjhVatWuYzafYA4vru7mx3P2YUnQ0ND8fHxnhL2NEC73S4Wi1G8SqUqKirysWuXuUVXoqKi2OOK/S0kJKSkpAQ36P5v3bkUy263eyoQuyl2DhhFUSKRCJU7JyensrKypKQEBYvF4qGhIXY5OI/ZHA6HUCjEmajVatyjp0nzZbyofOwr/pbSx3cBniKetQ3AH8HL8xiCICIiIhobGxsbG6enp/V6fWVlpcPhUCqV7BiSJNEDG4IgpFKpWCwOCwtDp4mJifhprVAoTE5ORsfr1683mUzu3SkUio6Ojj179nR0dMjlcvZd+ImJiZmZmdTUVNwCegd6avn79+9ms1kmk6HrTqcT3/QjSRLfmpBKpd++feOfBHZ8YmIijufpAnv9+vX58+ffvn07MzPjdDrR7UfOhD0NMCwsTC6XazSaU6dOqdXqI0eO+Ni1VyKRyGAwEASh1WqrqqoePHiAC+cLl2JZLBZPBfIqISEhLS2tu7s7PT2doqiampq0tLTZ2VmtVrtt2zZ/hzYxMeF0OtmZoIM5TBpn+dj8KqWneB7+xgOwpPjx1g0NDc3Ly2tubi4tLXXZY+bR7t278/PzCYLo6OhAH6ZzRtO0QCDo6+vDnyMCwTz/PpAvXSgUCqVS2draKhQKx8bGduzYMYeO9u3b19LSUlpa2tvbq1arfewafTOYnZ1dtmwZumKz2UQiEQ4QCARJSUkEQZSVld26devBgwenTp3yPat5LBZBEHK5XKvVDg8PFxYWRkZGZmVl6XQ6rVbr++07r+awJOalfAD8tbx/5ro8hqFp2uFwzK0zmqY/fPiAjgcHB1euXOkes3btWolE8vz5856eHpcPF4lEEhIS8v79e3Q6MDCA/0PK2XJCQoJIJPr27VvSbwkJCXPL3BOvXXz58oWiqMuXL69evTopKUkoFPIkzDNAuVxuMBgePXq0bds29I3Kl9HFxcXFxMT09PTgKzqdLjMzk3Msly5dampqmp6e9n34LsXylH9MTIzdbsdPbsbGxjhbQ49k2tvbi4qKCIJQKBQajebFixdz2GMkEolAIBgdHcWZoAN/l4Sn8rH5W0rOeJ4p8uVdA8DSxX8rbWBgQCKR3L9/n6Ioi8Wi0+kyMjIaGhp47om73G13ubNcXFw8NjZmNBqzsrJqa2sZhpmcnAwODh4YGHA4HOif1NTUZGZmFhYWuuejVCqLiopMJpPRaNy4cWNzczNPywzDnDhxIjc312g0UhTV1NRUV1fnNWHEZrMFBwcPDg56jefsgk0ikahUKovFMjg4qFAooqKieBLmHCBSUlIiFoufPHnie9cMw7S0tKSlpel0OrPZ3NbWFhMT09XVxVk4hmHS09NbW1vZr9L/D9cIcymWp/xzcnKUSuX4+Pjg4GB+fr77hOO5kkgk6KnM2NiYWCzOyspySZW9YNwXD1ZcXKxQKEZGRoxGY2ZmJu7R06SxK+6Skkv52K/6W0qeeM4p4okH4I/g/Zn/06dPCwoKxGKxSCTKzMy8f/8+w/vclWePIUny+vXrEokkKirq8OHD+OcCqqqqRCLRw4cP0Sl6QoBP2Ww2W3l5eWxsrFQqRT99wN8yTdNnz56VSqUikUgul6NnsL7sMQzD1NbWoqz44zm7YNPpdNnZ2UKhMD4+vrKyEu0xJEk2NTW5J8w5QESj0aDn6r53jdy5c0cmk4WEhGRkZKjVavZAXPaYx48fy2SymZkZ5venmwu8A2EuxfKU/9DQ0JYtW0iSTE9Pb25u9rTHlJSUFBcX49Ps7Ozq6mr3VNkLxmXxYOPj44WFhSRJymSy69ev4x55Jg1XnN2Oe/nYr/KsPX/XKucU8cQD8EcIYhhmAb4tEQQxOjqakZGB7wbwmJqaio2NpSjK/bco/mXLYN75W6xF8e7du02bNn3+/HneW/Z37QU6HoClZin+Tcxnz57l5+cv5c8sgP0RxTIYDKtWrVrsLAD4G/n9066BZrVaW1paDhw4sNiJAO+WcrHq6+sTExOLioqGh4erq6tramoWOyMA/kZL7nsMvu+82IkA75ZysQoKClQqlVQqLS0tPX36tMsfJQIALIyFex4DAADgb7PkvscAAAD4z4A9BgAAQKDAHgMAACBQYI8BAAAQKLDHAAAACBTYYwAAAAQK7DEAAAACBfYYAAAAgQJ7DAAAgECBPQYAAECg/A9DQqQSgnZnjgAAAABJRU5ErkJggg==)

Mirror: Click here to view the mirror

Coordinated Disclosure Timeline

Vulnerability Reported: 25 February, 2020 09:29 GMT
Vulnerability Verified: 25 February, 2020 09:38 GMT
Website Operator Notified: 25 February, 2020 09:38 GMT
a. Using the ISO 29147 guidelines
β€” β€”
b. Using publicly available security contacts
c. Using Open Bug Bounty notification framework
d. Using security contacts provided by the researcher
Public Report Published
[without any technical details]: 25 February, 2020 09:38 GMT