logo
DATABASE RESOURCES PRICING ABOUT US

startribune.com Cross Site Scripting vulnerability OBB-1109989

Description

Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[startribune.com](<http://www.startribune.com>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[XSS (Cross Site Scripting)](<https://www.owasp.org/index.php/Cross-site_Scripting_\(XSS\)>)** / CWE-79 CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **geeknik ** Remediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAABLCAIAAAAphcDFAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAWj0lEQVR4nO2df0xT1/vHr4hYoPwUKhYYP3RICEFiCGMLUwdkGtaQiqjMMa2OKCGMMKJOMWEMCTpEtzFHyKILmiX6hzGGEMNI45aGdIqItSMMCTLoam2Qn64qVuR+/zjZ+d7Pvefe3kJLiz6vv3rOvfec5zzPUw733N73WULTNAUAAAAATsDD1QYAAAAAry0wxwAAAADOAuYYAAAAwFnAHAMAAAA4C5hjAAAAAGcBcwwAAADgLNxijomJibl37x5fEXB/3DNk7mkVALxRuH6O+fPPP2dnZ9etW0csAu6Pe4bMPa0CgDcNG3PM8PCwn58f8dDU1NSJEyf4iuJpaWnJycnhK7qQuY1I+CqmPwV8u7hY+JCJcR22amJiYu/evaGhoeHh4V9++eXLly/n0OMXX3zh7e194cKFudk5PDwcFBQ0h37ngxgvzflrCwBioQUZGhqSSqViDgmcKUxqamp7eztf0YXMbUQ2r5qenp5P+27IwodMjOuwVTk5Obt27TIajX19fenp6UeOHLG3u9HRUQ8PD51ONzMzMzc7h4aGAgMD7e13/uBk4+O1SULAbXHxWtmjR4/6+/s3bdpELL6WLF++3NUmOBL3DBm26vnz593d3T/99FN4ePjatWvPnDlz5coVe1uzWCw+Pj7r1q1bunSpXRd6enrGxcUxPywwr1myAYsRUXPM999/HxMTs2LFik8//XRqaoqiqKmpqejoaIvFsmTJkgsXLjCLZ86c8fPzO3Xq1MqVK4OCgvbs2fP8+XO+lltaWj788MNly5axilu3bj116hSqvHfv3vLly1G/FEUdOHDg7bffFjh66NAh4csPHTrEtOH27dvvv/++n59feHj4tm3b/vrrL+4A0Wnvvvuut7d3aGjo9u3bHz58iNYiTpw4ERoaumrVqvPnz7Ou4p7AXb745ptvWI5inYOXWVD96dOnY2JigoKCPvnkEzyoFy9efPbZZ35+flFRUV999dWrV6+4rn716tXRo0dXrlzp6+u7ffv2sbExiqKePn164MCB0NDQyMjIr7/+Gl3I7MjX13fnzp1jY2OHDh0KDQ1dsWLF3r17nz59Sowg0ZN8tnH9ibtmeozPcmJacq3y9vb+559/fH19Uf3AwIBcLqco6uHDh5s3b/b19V29evW3334rsJA1NjbGygSi04iV4eHhd+7cQR9u3bqFGvz111/5+uKeQHQp1yFEvzFX6ohfSW6SA4DDsT3HWCwWnU6n1Wo7OztNJtORI0coigoICOjr65NKpdPT0wUFBczi1q1bLRZLZ2dnV1dXV1dXd3d3XV0dX+N8D2MUCoVarUaVra2ts7OzbW1tqKhWq5VKpcDR7Oxs4cuzs7OZNigUCpVKZTAYOjo60tPTJRIJd4AURXV3d+/fv99sNvf09ERERJSUlCDn9PX19fT0NDc3p6enc69incD1bdd/CDsKn6/X61EsDAZDRUUFqq+urn727Jler29ra9NoNE1NTdxr6+rq1Gq1Wq3u7++Xy+W9vb0URZWWlppMpu7u7ra2tpaWlsbGRtyRTqfr6OjQ6XQmkyk+Pn50dFSv19+8eXNoaAj3y4og0ZN8thH9SfQY0XJiWhKtwty/f//gwYP19fUURZWUlPj7+/f19bW3tzc3N+NzQjmsWLGCFVOi0/g8yUWlUmVmZqK5h8Xt27czMzNVKhWuIbqUzyHCmcb9SnLTFQAcj/BS2tDQEEVRT548QUWtVhsbG4sPEZ/HoEsMBgOqv3r1akpKCvpsMBiio6PxJRaLRSqVjo+Pc4smk8nHxwetJqemppaXl+/atQs17u/vbzAYBI5arVbhy61WK7ZhfHzc09OTuGwtsFQ9MDAQFhaGRort517FPYF7lOsormPRUj4rFh0dHTgWISEhFosFfdbpdKmpqVybZTJZd3c3s2ZmZkYqlQ4ODqJiS0tLWloa7mhychJ35OHh8ezZM1TUarVr1qxBn5kh4/OkGNuQP4keI1oukJY0J68QRqMxNjb28uXLaOASiYTpefywxMiB/t+IEJ3G50kiFoultrY2ODh4x44d/f39qLK/v3/Hjh3BwcG1tbXYXXwu5XMIXyoKfCXheQzgbDxtTkJSqRQv3cjl8vHxcZuXSCSSyMhI9Dk+Pt5gMODLtVotPq29vT01NRUvUzCLq1atiouL02q1CQkJJpOpsrIyLi7u1atXarU6KysrMjJS4OiyZcuEL8dLcxRFBQUF5eXlpaWlZWRkyOXylJSUjRs3Egd19+7dw4cP9/b2Wq3W2dnZ2dlZ5Bzh3wsJn8DnKIHWcCwiIiJQLCYmJkZHR6Ojo1H97Oyspyc7rFNTU+Pj40lJSczKkZERq9UaExODDUB/jFBHAQEBuCN/f39vb29UlMvlo6Oj6DMzZERPCthG9CfXY0TLKcG0ZOUVIi8vr6ysbOfOnWjgFEUxPY9PCw8PpwQhOk3Ak1x8fX2PHj1aVFS0b9++hIQE9Du3hIQEhUIxODiI3U7xuFTAIQ7MNABwFLbnGAeydOnSVatW4aLwr5azs7PVavXg4KBCoQgICEhOTtZoNHilS/iomBMwly5dunPnTk9Pj8lkKi8vf++993744Qeu8UqlsrCwsKmpSSKRGI3GLVu2ONAz82F6etrDw6Orqwv/+fbwIC+B2vvI2iaskHE9WVFRwWebXf60y3LuQtmjR4/0ev0ff/xh89rQ0FBWzePHj8V3LZIHDx5UVlZqNJrq6mpUU11dXV9fX1xcXF1dvXr1anwm16U1NTWUE0IJAM5C+DaHb92GeIh4Y37t2jV8Y85kZmYmJCQELy+wijRNa7Xa1NTUnJyc69ev0zTd2NhYWloaFhZmMplsHhVzAhGdThcREcEd4MjIiKenJ/O0wMBA4joDazWMdYLAWhl21JMnTzw8PJhrYnitjC8WUqmUtXjCRSaT6XQ6Zo3AWhlfR8wiN2RMsCeJthH9ye2az3IBC4lWzczMMGtYa2XXrl1byLWyoqIiqVRaXl4+OjrKrB8dHS0rK5NKpUVFRcQLsUttOoRVKfCVhLUywNnMfY6xWCyenp54QRkXUULn5eUZjcaenp7k5OSqqircAl5c1mg0iYmJuJ5VRMhkMplMhi4xGo3+/v7Jyckij9o8AdX39vZu2bLlxo0bo6OjBoOhsLBQoVAQByiTyRobGycnJ/v7+5VKJd8cw7xKzBxDdFRqamphYaHZbO7v709PT7c5xxQVFaWlpaH/duvq6qqrq1nepmm6trY2NTVVr9cbjcaSkhKNRkPTdGFhYU5OjsFg6OnpWb9+fUNDg3BHzCIrZHye5LON60+ix4iWC1hITCSa86aIUqlkel745RVWd0SnESuJFBQUDA0NCfRVUFCAPvO51KZDWGYLZBoryQHA4cx9jqFpuqqqysfHp7m5mVk8ffq0VCo9efKkTCYLDAzcvXs3flzMbO3gwYMVFRW4KVYRsWvXrry8PFxMSUlhniN8VPgEbInVaq2qqoqLi/Py8pLJZAUFBWazmThAjUaTkpIikUjCwsLKy8v55hjmVTbnGKlUWldXx3XUwMBARkaGVCpNSEhoaGiwOcdMT0+XlZVFRET4+PhkZ2ejf6hZ58/MzBw+fDgkJEQikSiVSvRPtMVi2b9/f0hISERERFVVFXrHUOQcwwoZnyeJthH9ye2az3IBC4mJxH0F0mg0fvjhhz4+PrGxsfX19XbNMUSnESvnCZ9LbTqEZTb6QPxK0pxvMQA4liU0TTt28W14eDgxMfHff/8VPm3t2rUXL1585513iEXA/XHPkM3BquHh4eTk5ImJCedZ5VpEfiUBwBks6DN/Jvfv3xcoAu6Pe4bMPa0CgDcWF2vJgKq/G+LyKLjcgIXBPYfpnlYBixdXzjGg6u+GuDwKLjdgYXDPYbqnVcCixvFzTFRUlMiVX5eo+jtKUX8BlPldorvOjMKLFy8+/vhjgWE6wwkOSQO7ZO2joqKc9DBGQNt/ITdEQF9J2BDBrt4FgA0R7MKV9zFuu3OMmzA5OVlbW7vAneIovHjxYsuWLTMzMwInR0VF4Xf+HW7AfBBjmEvci3HPbMdWqVQqq9Wq0+lu3Lih1WorKyvtbWpsbKyhoeHmzZuLSwnN/TNn0eGyOeYNVPV3f5hRMJvNWVlZSEFSAMeqxzswDdxB1p5P2989sx02REC4Q+a8TtieY7jq4nYJsPPBp+pPCQrOE7cM4KrHC8jgI8Qr6lMU9ejRo48++sjPzy8mJub06dPM+3duO8L2c9vnM5Wlu/7jjz9u3rwZX37s2LE9e/awXMrtlxgpgeEwoxAVFXXs2DHhIDIHRVSht0vHnhKxU4DzZO3Fm/r333/7+vrevXuXoqixsbGgoKDffvuNeAlR21/MMCmePRFgQwSb0eFzKdEhArtvwIYIDsPmGzQymezcuXPj4+ODg4NnzpwZHBxErw3v3r3bbDa3tbX19fXRNF1bW5uSkoLePS4tLUWvkYdwwM1mZ2f/8ssvxOK+ffsUCgX35XOKovLy8gwGw8DAQGJiIn5XuaKiIj8/f3BwsLe3d9OmTWfPnsUWmkwm9Kp8cXExOpmvHYHX+nJzc5VKpdlsHhgYSEpKYqogE+3hs19ATZloKtZdn5mZMRqNEokEC8wkJiZeu3aNFSluv8RIEYdDDArXbBbMo9w8oWk6LCwsIyOjq6uLe21nZ2dGRgaSWyYaQGyQm2bEMXJfceeGielee02tqanZsGEDTdPFxcVI0psWzHYWNodJk7Kapummpqaff/55cnLSbDaXlZUplUqakULC30d0mkqlMplM6CVflmgNN/rIS3K5vLOzk/5PHAF5kpk5xIGz3Ev8UhAridgVHZGZQ3TdHDIHEMbGHENUFxcpwE7zqD/Rgqr+woLzRH1yrnq8gAy+vYr6SNsK24N14PnasVcETNhU5iVpaWlXrlzB9aygEPvlRopvONygEG1ggY/yqdCL17Gnxe0U4DxZe7tMtVqt8fHxVVVVISEhWBiCL9u5PrE5TFrEngiwIcI8N0Qgug42RHA4tu9j8vPzk5OTy8vL6+vrf//9d5rk4snJSU9PT/Gz+tWrVzMyMohFk8nk5eWFD/X39+MvkkQiwfW9vb0ymYymaSTqjv+BCg4OlslkwlKexHb4LmHZ09vbi+cGYjsC9vPNMSJVR0+ePKlSqWiaPnv27I4dO1guJfbLjRTfcGhOUIg2CBzl5glmfHxcqVRiEUxPT0+lUon3p8GwDOA2SEwzmzIqxDDxXSjSVJqm0SZ4Av9682FzmDRPVtM03d3dnZWVJZfLUSWfAI8YR7H0dYjRT0tLwwM0mUwsT4oX4CEmJ983RQCR0RGZOTTJdXPOHIAP289jLl26dO7cuaSkJKvVWl5e/vnnn/OdyX24x91VENU78BdlWNlep9PpdDq9Xq/T6ebWlJuTm5t7/fp1iqJaW1tzc3Md3v48f+nElycPHjxAuo1MHXuNRlNcXPzgwQMBA/gadJ6svXhTKYoym80eHh5msxnX8GU7CzHD5MtqpVK5YcMGjUaj0+lQMgjgkA0RBL7vGJEDnyfio7PwmQMIYdeMhNTFidM4V2+c5rmJFlb1F7lWxtQn56rHC98cENvhU9RHSwRYKJdvrQy3w2f/HBT7uX5OTExUq9WBgYG4HQzfWhmrBb7h8An1i7+PYYJV6MXr2IvcKcB5svZ2Se5PTk6GhYVdvnw5ODi4t7cXVYpZKxM5TJqU1bAhgmM3ROD6hJ5T5gDC2JhjiOriRBcTpeOJ2FT15xOcp3j0ybnq8TbnGPGK+jRN5+XlKZXKoaGhnp4e7jN/bjt8Mu/2KvZzddcrKyuTkpLw7gP0/0rWc/slRoo4HD5JfG4LzB7xUT4VevE69iJ3CnCerL14U2maLi4uRsuVNTU1mzZt4ruKi8hh0jx7IsCGCHx9zWFDBK6R9JwyBxDGxhxDVBcn5jRROp6ITVV/AcF5oj45Vz3e5s2BeEV9mqbNZrNCoZBKpdHR0SdPnmR+sYnt8Mm826vYT3N019GCCS5yn1qz+iVGijgcoiQ+0TxiUXiLBDGI3CnAHWTtu7q6pFIp+g93eno6Ojr64sWLjh0mzbMnAmyIYBPxmcM1knZy5ryZ2LdW5hDi4uJu3rzJV+TDTe5P+/r68KO/hcdisUgkEtaPf+YDHo7IKLBwYFDmZoBN3CRtME4a5jyZg1XcGeg1w90yZ/HiAm3/Ra3qr9PpYmNjXdV7e3t7enq6A0Wc8HBcHgWXG7AwuOcw3dMq4PUAtP1tc/z48fPnzz9+/PjWrVsVFRVFRUUuMWNqagr9anme7dgcjsgovHz5UqvVRkREzNMeLu6ZBgAAzAUX3kPp9fq33nqLr8jChbeuGo1m/fr1Xl5ea9as+e6771xiA03TXl5eubm5xPf17EJ4OMJRYKJSqYKDg69evTpPe+ZsgBhgxcNJwFoZIBJXzjE1NTUlJSV8RSfhqNRZgBRE8q5O7YILMwrT09P5+flz+O2yowyYM2IMWwD3Mh8gv95/kQGAD9D2d19A23/OgEI7ALgJoO0P/D+g7e9YXC5TDwAuB7T9QdsftP0XWtsfAN4cbM8xCoVCpVIZDIaOjo709HSJREJRlMVi6evr6+npaW5uTk9Ppyiqrq5OrVar1er+/n65XN7b20sJChkJLJSVlpaaTKbu7u62traWlpbGxkZUb7FYOjs7u7q6urq6uru76+rqUH11dfWzZ8/0en1bW5tGo2lqakIn6/V6rVbb2dlpMBgqKipwXxaLpes/mO3wUVJS4uXlNTAwoFarL168aLMdPvv5IJoaEBCAJcQLCgqUSqVGo8GbWLe0tHAly4j9ciPFNxxuUOyCmCcqlSozMxP9nWVx+/btzMxMlUrFZwCxQWKaccfIhJg2LPfaZWpMTExFRUVZWRlFUZWVldnZ2R988AG1ULJdALDIEH5cA9r+oO0P2v6O1fYHgDcKG+9gBgUF5eXlpaWlZWRkyOXylJSUjRs3UhQllUqZayxTU1Pj4+NJSUmsy8PDw4nNtre3p6am4haYxZGREavVGhMTgw7Fx8ejPxMURUkkksjISFxvMBgoipqYmBgdHY2Ojkb1s7Oznp6eyEK8jBMREYHE0gXa4WNkZGR2dpZpj3A7AvbzIWAqE6VS2draum3bttbW1uzsbNbzBr5+WZESGA4rKHbBlye+vr5Hjx4tKirat29fQkLCy5cvKYpKSEhQKBSDg4MBAQHMRpgGEBvkSzPWGFmIDLddpi5btuzs2bNZWVkNDQ0rV65ElXzZDgBvMqDtv2gAbX9Uv9i1/QHgzcKuux7Q9gdtfzFHQdsf1soAAAHa/qDtD9r+tF2m0vPQ9geANw3Q9gdtf9D2XzhtfwB40wBtf/sAbX8moO0PAIAwoO1vH6Dt7yRcbgAAAM7ABXPMouP48eNyuTwnJ2dwcLCioqKystIlZiBt//z8/Hm246jhOE/bHwCA1wdX30iJBbT9F0bbXzxO0vZ3LLBWBgCuZQlN066e5gAAAIDXExfvgwkAAAC8xsAcAwAAADgLmGMAAAAAZwFzDAAAAOAsYI4BAAAAnAXMMQAAAICzgDkGAAAAcBYwxwAAAADOAuYYAAAAwFnAHAMAAAA4C5hjAAAAAGcBcwwAAADgLGCOAQAAAJwFzDEAAACAs4A5BgAAAHAWMMcAAAAAzgLmGAAAAMBZwBwDAAAAOAuYYwAAAABnAXMMAAAA4Cz+D8DzW91rmerwAAAAAElFTkSuQmCC) --- **Screenshot:** ![startribune.com vulnerability](/twimages/screen-1109989.jpg) **Mirror:** [Click here to view the mirror](<http://1109989.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 4 March, 2020 14:08 GMT ---|--- Vulnerability Verified:| 4 March, 2020 14:18 GMT Website Operator Notified:| 4 March, 2020 14:18 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 4 March, 2020 14:18 GMT