Open Bug Bounty ID: OBB-1107208
Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:
      a. verified the vulnerability and confirmed its existence;
      b. notified the website operator about its existence.
Affected Website: |
etf2l.org |
Open Bug Bounty Program: |
Create your bounty program now. It’s open and free. |
Vulnerable Application: |
Custom Code |
Vulnerability Type: |
XSS (Cross Site Scripting) / CWE-79 |
CVSSv3 Score: |
6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] |
Disclosure Standard: |
Coordinated Disclosure based on ISO 29147 guidelines |
Discovered and Reported by: |
kun-fly |
Remediation Guide: |
OWASP XSS Prevention Cheat Sheet |
Export Vulnerability Data: |
Bugzilla Vulnerability Data |
JIRA Vulnerability Data [ Configuration ] |
|
Mantis Vulnerability Data |
|
Splunk Vulnerability Data |
|
XML Vulnerability Data [ XSD ] |
|
Vulnerable URL:
![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAPU0lEQVR4nO2cb0xbVRvAL6WUrrQFSukGZVnbTWZ0QSQT2ZzLspFJlJCqG05XgSDBuhBkhBhGFqxMGUFYGMOGDzNhC6Ixk1Q+ICouphKCwEiHtWKD2DVdh8AQSGUdFM/74b7v8Xr/nJa+66jz/D5x7jnnOc/znHvu0/Oce4kAABAYDAaDwYQA3kYrgMFgMJgHFhxjMBgMBhMqcIzBYDAYTKjAMQaDwWAwoQLHGAwGg8GEChxjMBgMBhMqwiLGqNXq69evcxXDn/BUODy1+jdz/fr1N954Y6O1wPzF6urqyy+//NtvvwXYHq+pINj4GPPDDz/8+eefjz32GGsx/AlPhcNTq385RUVFKpVqo7XA/EVUVJRAIKiqqgqkMV5TweEnxty4cUMikbBWLS4unj17lqsYOD09PXl5eVxFv+OePHly06ZNly5dIghidnb2+PHjCQkJSqXy5MmTd+/eReh/r/CrcCjwaxepFWx248aN+Pj4+6Xd3ygsLHyCwlNPPRWEkHs4j8G5ImgF4O16+/bt8fHxiooKVoEXLlzYvn17dHT0448//sUXX9CGjvgfkZGRarX6zJkza2trtCrI+fPnyarIyMjvvvuOJgraTuu7devWU6dOra6uctlL89uFCxfUanVMTMyTTz75zTffsGrLFIuwFD2iX3OYfoiIiJBIJD/99BNs/9FHH+3cufPXX3+lDlRRUdHf308EwIas9AcBgMThcIjF4kCqEC3RZGZmfvXVV1xF9Lhzc3M8Hs9isfh8PgBATk5OcXGx2+2enJw8ePBgVVVV0FoFrf/9wa9dpFawmcPhiIuLu1/a/Y3du3cjigFyD+cxOFcErQB1CrjWS2trq0ql6u/vn5mZ6erqkslkZrOZ1tLr9Xq93uXlZYvFkpmZWVdXR6uCkGvB4XAQBKHRaDweD6vtNLFWq3Xv3r2nT5/mspfat7W1VaPRXL16dW5u7sqVK3K5fGBgIBCxCEvRI/o1hxxxYmIiLi4OuqKioqKgoAC2T0tL6+joCPrBtSEr/QFgg2OM2+2Oi4tbWVlhLfodl/q3x+MRCoXwFhweHt6xY0eoY0wgCocCtF1QK5fLlZGRAQBwuVyZmZn3UcG/wDGGNcbAqQEAJCcnX716FVa1tLTk5uYihh4YGHjkkUfQWjkcDpFIlJGRodfrqRdpMYbaZXBw8OGHH+aqpfalKdze3g4VRotFWOo3xqDNYb3idrvFYrHD4QAA9Pb2ajQan89H9TzruKxs1Ep/AAjoPOb8+fNqtTohIeHVV19dXFwkCGJxcVGlUnk8noiIiEuXLlGL586dk0gk77///ubNm+Pj4wsLC+/cucMluaen5/Dhw1FRUczi3bt3X3vtNYlEsm3btrfffptMDlAH+uCDD6g6xMTE3LlzJyYmhhS1srIiEAgQRv3xxx+vv/56YmLi1q1b33nnHZh8kEgkZ8+eTUxMTEpK+vDDDwmCuHXr1nPPPSeRSNRqdXNzMzVjQFV4ZGTk6aeflkgkSqXyxRdfhJt0VkNGRkb27NmzadOmxMTEo0eP3rx5k2v0tbW1U6dObd68OSYm5ujRo7dv30bMC00rpVJ57do1giCUSuX3339P1n755Zfo6aY2YBr10ksvvffee7DBnj17yEQlwkvr9X9zc7NarY6Pjz9+/DjVLnRfLq8SBHHz5s1nnnlGIpHs3Lmzq6sLrRiXECqsc8qcPurt+tlnn1ElwKlZXFx0u9379u2DVfv377fZbAgNhUKhz+dDW0EQBI/Hu3z5ckdHx9dff+23MUEQAoFgZWXFbzOmwsXFxW1tbX7FBmEplfWaQxBEUlJSUVFRY2MjQRANDQ3V1dWRkZHQ80wQS4P2pMIEjv8Y4/F4LBbL4ODg8PCw2+2urq4mCCI2NnZiYoLcFOt0Omrx+eef93g8w8PDo6Ojo6OjY2Nj5ByzgjiMqaurW15eHh8f7+vrM5vN7e3ttHH1ej1VB5rkd999t6CgAGFXeXm52+0eGxvr6+vr6ekxGo3Q3omJCavV2tHRQa6HsrIygUAwOTnZ399/+fJlLv1zc3OLioqcTufAwMC+ffuEQiHCkLGxsdLS0unpaavVmpKSUlZWxjV6Y2Njf39/f3+/3W5PTk6Ga5J1Xli9SqOoqOjQoUOsy2xkZOTQoUNFRUXwCtOo/Px8k8lE1t66dctisWi1WrSX1uv/8fFx0i6n01lTUxN4Xy6vlpWVSaVSm83W29tLjTGJDBBCqLDOKcGYPtq6YPUDuf+mPrykUunS0hKX32ZnZ0+fPk363C+PPvqowWAoLi5mDdVUfv/999ra2pKSEr8ymQpHRUVt27bNr9j1WsokcHMg1dXVXV1dn3/+ucPhoN7YrCCWBj6MCR70NodMgy4tLZHFwcFBjUYDq1hzZWQXp9NJXu/u7obpEafTqVKpYBePxyMWi+fn51mLcrkcJr7IHDRzXK59rsFgyM7O9vl8XA18Pp9YLJ6amiKLPT09WVlZUHmoA9lSKBTClt3d3XAzTlV4fn6ez+d7vV7mWFyGQCYnJ7ds2cI6OgBAoVCMjY3RuiDmheZGJh6Pp76+XiaT5efn2+128qLdbs/Pz5fJZPX19VBbVqOWl5elUik5v0ajMS8vD+0l1lwZ2v/QroGBAdIu6jxy9eXyKqkb9YaEurkYcAmh3Uisc8o6fVy5MmYDyNTUFDXhQ4qVy+VyuVwmkwmFQr1eT04KtYqkrKyMJtbn82VlZZHHEswTDiiWx+Pl5OQgtIJ9qVVVVVWkBOpjgUss2lK/uTK0OcwuEL1eLxQKjUYj0/m0cVmXBghgTWEQrO88BpHPpa4loVAIr9tsNoVCQf7t8/ncbjes6u7uPnjwIGtxfn6eunhkMhkU4jfGmEwmjUYzNzfH1QAA4Ha7BQIBLNrtdtZHCbOlzWaDHqDpf+zYsfT09MrKyqampm+//RZtyNjYWHZ2dnJyMnmRuXpJFhYW+Hw+eYpLBTEvNK24mJ+f12q1fD6fLPL5fK1Wu7CwQGvGatSxY8daW1sBANnZ2Z2dnWgvscaYAP3P+lzj6gs4vOp2u2k3JPo8xu/UcM0p683mN8a4XC6qegCAyclJuVxOlSASicgQ6Ha7qTcDtYoEPgepw9ntdpFIZDKZmCccsKPZbM7IyGhpaWF2h1fIvlSFFxYWXC7X0NBQIGLRlgYYY7jMYXaBjI+PC4VC1t9/rOPSlgYIeE1hWOHftw0TQRCRkZFJSUmwiEiUeb1eHo83OjrK5/9XQx4voKOjH3/8Ua/X9/X1JSQk3DvF2aHp//HHH1+7ds1qtbrd7srKyr179164cIHLEK1WW1JS0t7eLhQKXS5XTk4OYqDIyMigtWLll19+qa2tNZvNdXV15JW6urqmpqYTJ07U1dVt374dbVR+fn5bW5tOpxseHu7u7g5ct1CzLq8SBEEmx6jMzs76FRL0zckKmUlbXV2FSaSlpSWpVEptw+PxlEola3dEFeShhx6qr68vLS3t7e3l6qtUKltbW4uLi998802CIEQikdfrXVtbg/eex+MRiUQ0hWNjY2NjY2dmZsgqtFi0pYgRAzSHC6lUyufzo6OjA2nMXBoETpT9n6BDUHD7GIKSKzOZTKyvEvl8PrlcDjMetCIAQCwWM3NEALmPmZ+f37FjR1dXF5f+1NG5cjW09mSmhXw1BVAyLUyFqVgslpSUFC5DZmZmqL+SLBYL1z4GAKBQKCwWC8IJgDIvaK1I9Hq9WCyurKwkt3qQubm5iooKsVhMfXWH1Siv1yuTyVpaWl544QWyistLYP25Mr/7GK6+XF6l5cpMJhMiVxbg1LDenMHtYwDjbavW1lb0e2XBVR04cCArKwuRmxoaGoIpLwCAQqGAbyQDAIxGI8x6JScnw00tAKCpqQmREKOKRVuKGNGvObAZcx+DfnOMWsu6NAJZUxgEwccYj8fD5/Nh1hIWyRhz5MgRl8tltVrT09MNBgOUAHesZrN5165d8DqtCADQ6/VZWVnkL+jGxkbygwDauLRHT3Z2dnl5OfVbgaWlJT6fPzExATMMUIGSkpK8vDyn02m1WjMyMsjkD+vteOTIEa1W63A4rFZrWloa6QGawjabLScnh/xiwOl0lpSUwMXDaohCoTAajQsLC3a7XavVImJMfX19Zmbm+Pi4y+UqKysjvyfgmhemG5nodDoYDJg4HA6dTufXqFdeeUUqlX766adoLwHud5cD8T+0izaPrH25vAoA0Gq11BsSnStjFUJTgHVOWacP3q5Op5OWKYLAr0bm5uY++eQT1u9jWDs6kN/HMA8/xGIx6/cxXq/XZrPt37//xIkTsH1bW1tqaqrZbCY/gpHJZDAAwO9jZmZmOjs7ZTLZ4OBgIGLRliJG9GsObLbeGDM5OQm7sC6NQNYUBkHwMQYAYDAYRCJRR0cHtdjc3CwWixsaGhQKRVxcXEFBwfLyMlNaVVVVTU0NFEUrAgDIT6hSUlJEItGzzz5L/R0Bx6XtaWhbNFLV6upqqCTtfK+0tFQul6ekpBgMBq6VCQCYnp7Ozc0Vi8UqlaqhoYEUS1N4ZWXFYDCkpqYKBAKFQqHT6aanpxGGmM3m3bt3C4XCLVu2VFZWImKMz+d766235HK5UCjUarWs50xwXphu/H9AGGUymcRiMZxZLi8BAHb/HepvFL/+p95v1Hlk7Qs4vAoAcLlchw8fFovFqampTU1N6BjDJYSqAOuccj3LyNv14sWLQqGQepJMhXxqCwSC9PT03t5eahU6xjAzE+ThB2uv9vZ22pk/RKFQlJaWwrctSM6dO6dSqQQCwa5du7q7u2kKk1UZGRnUrYlfsQhLESP6NQc2W2+MuXLlSlpaGlctuNdr6l+InxgTBOgZhaSmpg4NDXEVw5aJiQnygDc8FQ4TraCXMFTKy8vx0XFY4fV6VSrVxYsXEW3CZE39c7mvZ/5Ufv75Z0QxbLFYLBqNhghXhcNEK+glDJWmpiaLxbLRWmD+Ijo6urOzE/0/9MJkTf1z2bAY8w/izJkzycnJeXl5U1NTNTU1tbW1G61ROIK95JeoqKgnnnhio7XA/I3g/kkrJnA2/n/7hz8HDhwwGo0pKSk6na68vLywsHCjNQpHsJcwGAyTCADARuuAwWAwmAcTvI/BYDAYTKjAMQaDwWAwoQLHGAwGg8GEChxjMBgMBhMqcIzBYDAYTKjAMQaDwWAwoQLHGAwGg8GEChxjMBgMBhMqcIzBYDAYTKjAMQaDwWAwoeI/2jkMXSbgcpEAAAAASUVORK5CYII=)
Screenshot: ![etf2l.org vulnerability](/twimages/screen-1107208.jpg)
Mirror: Click here to view the mirror
Coordinated Disclosure Timeline
Vulnerability Reported: |
29 February, 2020 06:45 GMT |
Vulnerability Verified: |
29 February, 2020 06:52 GMT |
Website Operator Notified: |
29 February, 2020 06:52 GMT |
a. Using the ISO 29147 guidelines |
![](/images/done.png) |
— |
— |
b. Using publicly available security contacts |
![](/images/done.png) |
c. Using Open Bug Bounty notification framework |
![](/images/done.png) |
d. Using security contacts provided by the researcher |
![](/images/done.png) |
Public Report Published |
|
[without any technical details]: |
29 February, 2020 06:52 GMT |
Vulnerability Fixed: |
20 May, 2020 21:40 GMT |
— |
— |