xpro.org Cross Site Scripting vulnerability

2020-03-06T15:37:00

Description

Open Bug Bounty ID: OBB-1111910 Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[xpro.org](<https://www.xpro.org>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[XSS (Cross Site Scripting)](<https://www.owasp.org/index.php/Cross-site_Scripting_\(XSS\)>)** / CWE-79 CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **g0bl1nsec ** Remediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAALfklEQVR4nO2cb2gTZxjAz3ptY3txNkvO2GSYFtbtg3RBauhwSigiUkvIXC1aOnUqsytbCaHzT4Utq6WK1oIiRSQb2xDmBylShkwp3cgH2bTrrl2JMcQsZll6kzamkmmscbcPLxy3+5dr07NRnt+nvO897/M+f97cc/e+aZcwDIMBAAAAgAoULLYBAAAAwEsL1BgAAABALaDGAAAAAGoBNQYAAABQC6gxAAAAgFpAjQEAAADUIn9rTEVFxdjYmFQT4JInwckTMwAljI2NffTRR1JXnz59unPnzr///luhNkg9IEWe1pjff//933//feutt0SbAJc8CU6emAEoZM+ePRaLRepqYWFhUVFRR0eHElWQekCGLDXm3r17Wq1W9NLMzMzx48elmjkyODjocDikmgAXNjgPHjz44IMPDAaDyWQ6dOjQ06dP56RHJtdzMiMXFNqQdbGxeu7du1dWVpajVXNioVzIUb/8jNPT0+Pj4y6Xi7365MmTnTt3cjW7XK6hoSElmvMq9UDewcgSiUQIglBySUZyHthstuvXr0s1AS5scBwOR3NzcywWCwQC77zzzuHDh+ekJ8cMLlSO0ul0VpmsprICkUhkxYoVuVs1JxbEBVUH8pSk02m73d7Y2Di/b3RepR7IN/Jxr2xycjIYDNrtdtEmwIUNzuPHj0dHRy9cuGAymd54442+vr7Lly/PSRWO41VVVTmaMb/hXIqLi3NXwvqSi1PzZkFceJ7QNL1p06be3t55jM231AP5hqIac+bMmYqKildfffX999+fmZnBMGxmZsZisaRSqSVLlnzzzTfcZl9fn1arPXXq1MqVK8vKynbv3v348WOk59atWxs2bNBqtSaT6b333rt9+7bodIODg5s3by4sLOQ133333VOnTqHOsbGx4uJiZAyGYQcOHPj000/lBV5//XX54Vwb/vjjj9LS0t9++w3DsOnp6bKysh9//BG9zgtdQ/3Hjx83GAyrVq368ssvMQz7559/Dhw4YDAYXnvttS+++OLZs2c8N0UFRFVNTk5u3bpVq9VWVFScPn2au/nDBmfZsmV//vlnaWkp6g+FQuXl5cpjjmGYyWT69ddf2ea1a9ekJIUC3JRJzfjs2bMjR46sXLmytLR0+/bt09PTQme5GyZS0eatPVE7WV9MJtMvv/wyD49EvVDJBSnbbt269fbbby9btsxgMGzfvv2vv/4Syjx58mTfvn1arXb16tWff/651CoSzshl9erVR48elQ+OVKDyLfVA3iH/mhOJRDAM27NnTzweD4VCdXV1ra2t6FIgECAIIp1OZzIZbjMcDmMY1tjYGI1GQ6HQmjVrPB4PGkKSpNfrTSQS4XC4r68vHA6LTlpfX3/x4kVh0+v1bt68GXV2d3fjOH7p0iXUrKysHB4elhfo6OiQH84zo7u7e+PGjQzDtLW1NTc3s9EQuob6d+3aRdP0Dz/8EAgEGIbZu3dvQ0NDNBqdmJhYu3bt2bNnefpFBURVbdu2zel00jQdCoWqq6u5mz+8WLGpKS8vv3nzpkzM9QJ4SoxGY11d3cjIiDBBN2/erKurMxqNomZIzdjT01NTUzM+Ph6Lxdrb230+n9BZ3n6O1ELirj0ZO3PxSNQLlVyQsu38+fNfffVVMpmkadrlcjmdTkawWdTZ2bljx45wOOz3++12+7lz5xiJVcSdUXTHScnu9wuaemARUVRjHj58iJo3btyorKxkL4muSDQkGo2i/oGBgZqaGoZhEokEjuOiW67RaNRisaDPqVSKIIhEIiFsxuPxkpISpMFms7ndbvbWv3z58tnZWXmBaDQqP5xn1ezs7JtvvunxePR6PU3TMq6hftZmhmEymQxBEOx3bHBwsLa2lqtcSkBUlUajYSUHBgbYGsOLFSIWi1VWVqLyKRPzmACeQCqV6unp0el0TU1NwWAQdQaDwaamJp1O19PTk0qlhGbIzEiS5OjoKLdH6KzwRiOMNk9M1E5RlHsk5YVKLijxIhQKoTs7b6Ber2fNpijKZrOJWiU0bK415oVOPbCIzO3Mn3uCKlNjNBoN2+/3+0mSRJ937NhhtVrdbndvb+9PP/3EymQymXg8jj4PDAzU1dWxl3hNq9U6PDxM07TZbE4mkyRJZjIZr9e7bds2JQJZh/NAv6thX0GkXBN+Y+PxeFFREdsMBoPcRz8Zgayq/H4/mwJecBC1tbXcdyapmCskkUg4nU4cx1ETx3Gn05lMJrkyPDNEZ0wmkziOo2d2FqGzvBuN1EISDuTZmaNHol6o7YLQttHR0U2bNpWXl+v1ep1Oh/LOHZhIJDAMY99EdTqd1IIUGjbXGvMSpB5YFJ7rmf93333n9Xqrq6tnZ2fdbvcnn3yC+pcuXbpq1Sr0Wf5Xy/X19UNDQ99//31DQ8Mrr7xitVp9Pt/Q0FB9fb0SgazDedA0XVBQQNO0GtHIHeFvRicnJ8fHx9nAYtIxNwgQ6r979+7HH3/s8/m6urpQT1dXl8/na2tru3v3rpQZUjNiGLZ06dKF8Du7ncolRT3CZNeqGi6I2uZ0Ojdu3Ojz+SiKunr1qnBIOp0uKCgYGRmhKIqiqPHxcYqiVDLvRU89sGjIl6D5vcdgnPfcK1eusO+5XCiKMpvNvM5MJqPX69l9IV6TYZgbN27YbDaHw3H16lWGYfr7+9vb241GI/saJC+QdTiXZDJpNBovXbqk0+n8fr+Ma8Jnq1z2yoSqNBpNJBJBTXavTBgc1Cl1ysX8P+ZZ98paW1sJgnC73VNTU9z+qakpl8tFEAQ6mRM1Q3RGkiQpiuJezfowK7WQuGJSdgpR6JGMFyq5IGrb/fv3uc/mFEUJ32MYhiEIgrcNJWqV0LB5nMe8uKkHFpH515hUKoXjOLsNyjbZ87pYLDYxMWG1WtF5nd/v37Jly/Dw8NTUVDQa3b9/f0NDA6sZbeP6fL41a9awnbwmgiRJkiSRfCwWW758udVqVS4gf5W7m9zW1tbU1MQwTHd3t91uZzhHkTzXRL+x+/fvdzgcwjN/dgpRAVFVjY2NTqczEolMTEywZ/6iweG5IB9zeVpaWtjCJiQSibS0tAjNkJmxp6fHZrOhg1/07KnkRiOMNvP/tSdv5zw8kvFCJRekbCNJsr+/P5lMBoNBp9OJ8v7w4UMcxwOBANp9am1tra2tnZiYiMfjJ0+e7OrqYiRWEXfGaDTK3YwSWs4wTCgUEv3Tohcx9cAiMv8awzCMx+MpKSn5+uuvuc3Tp08TBHHixAmSJFesWLFr165Hjx4xDDM7O+vxeKqqqoqKikiSbGlpQQfp3Fk6Ojo6OztZ/bwmorm5ubGxkW3W1NTwZOQFZK5ynR0ZGSEIAj1JpdNpi8Xy7bffIgGha1Jf6Q8//FCv15vNZo/Hg+4IvBNLeQEWmqYbGhoIgrBYLCdOnEApEA0OL0EyMV8oeGbIzJjJZA4ePKjX6zUajdPpnJqaynqjEY02grf2FhYpL56zCz6fr6amRqPRGI1Gt9vNZvbw4cPswHQ67XK5zGZzSUlJfX09eqsQXUXcGdPptEaj4Z2T80Zdvny5urpaJkovZeqBBSdLjZkHUutbCVVVVT///LNUc9HJxbWFIhAIoPPPPAmOembkQ7RzJJ9daG9vF/5ghAU9V3m9XhkNkHpACfjzPf3Jwp07d2SaAIZhFEVVVlZieROcPDEDmCu9vb0yPxAoLi6+ePHi+vXrZTRA6gEl5FeNAUQ5duxYeXm5w+EIh8OdnZ2fffbZYlsEvPAUFhauW7dORkC+wACAQvLx/5UBPOx2e39/v9lsbmlpaW9v371792JbBAAAoIglDMMstg0AAADAywm8xwAAAABqATUGAAAAUAuoMQAAAIBaQI0BAAAA1AJqDAAAAKAWUGMAAAAAtYAaAwAAAKgF1BgAAABALaDGAAAAAGoBNQYAAABQi/8A9twuasokCIkAAAAASUVORK5CYII=) --- **Screenshot:** ![xpro.org vulnerability](/twimages/screen-1111910.jpg) **Mirror:** [Click here to view the mirror](<http://1111910.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 6 March, 2020 15:37 GMT ---|--- Vulnerability Verified:| 6 March, 2020 15:52 GMT Website Operator Notified:| 6 March, 2020 15:52 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 6 March, 2020 15:52 GMT

{"id": "OBB:1111910", "type": "openbugbounty", "bulletinFamily": "bugbounty", "title": "xpro.org Cross Site Scripting vulnerability ", "description": " \n\n\nOpen Bug Bounty ID: OBB-1111910\n\nFollowing coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: \n\n&nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; \n&nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence.\n\nAffected Website:| **[xpro.org](<https://www.xpro.org>) ** \n---|--- \nOpen Bug Bounty Program:| **Create your bounty program now**. It's open and free. \nVulnerable Application:| Custom Code \nVulnerability Type:| **[XSS (Cross Site Scripting)](<https://www.owasp.org/index.php/Cross-site_Scripting_\\(XSS\\)>)** / CWE-79 \nCVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] \nDisclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines \nDiscovered and Reported by:| **g0bl1nsec ** \nRemediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md>)** \nExport Vulnerability Data:| Bugzilla Vulnerability Data \nJIRA Vulnerability Data [ Configuration ] \nMantis Vulnerability Data \nSplunk Vulnerability Data \nXML Vulnerability Data [ XSD ] \n \nVulnerable URL:\n\n![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAALfklEQVR4nO2cb2gTZxjAz3ptY3txNkvO2GSYFtbtg3RBauhwSigiUkvIXC1aOnUqsytbCaHzT4Utq6WK1oIiRSQb2xDmBylShkwp3cgH2bTrrl2JMcQsZll6kzamkmmscbcPLxy3+5dr07NRnt+nvO897/M+f97cc/e+aZcwDIMBAAAAgAoULLYBAAAAwEsL1BgAAABALaDGAAAAAGoBNQYAAABQC6gxAAAAgFpAjQEAAADUIn9rTEVFxdjYmFQT4JInwckTMwAljI2NffTRR1JXnz59unPnzr///luhNkg9IEWe1pjff//933//feutt0SbAJc8CU6emAEoZM+ePRaLRepqYWFhUVFRR0eHElWQekCGLDXm3r17Wq1W9NLMzMzx48elmjkyODjocDikmgAXNjgPHjz44IMPDAaDyWQ6dOjQ06dP56RHJtdzMiMXFNqQdbGxeu7du1dWVpajVXNioVzIUb/8jNPT0+Pj4y6Xi7365MmTnTt3cjW7XK6hoSElmvMq9UDewcgSiUQIglBySUZyHthstuvXr0s1AS5scBwOR3NzcywWCwQC77zzzuHDh+ekJ8cMLlSO0ul0VpmsprICkUhkxYoVuVs1JxbEBVUH8pSk02m73d7Y2Di/b3RepR7IN/Jxr2xycjIYDNrtdtEmwIUNzuPHj0dHRy9cuGAymd54442+vr7Lly/PSRWO41VVVTmaMb/hXIqLi3NXwvqSi1PzZkFceJ7QNL1p06be3t55jM231AP5hqIac+bMmYqKildfffX999+fmZnBMGxmZsZisaRSqSVLlnzzzTfcZl9fn1arPXXq1MqVK8vKynbv3v348WOk59atWxs2bNBqtSaT6b333rt9+7bodIODg5s3by4sLOQ133333VOnTqHOsbGx4uJiZAyGYQcOHPj000/lBV5//XX54Vwb/vjjj9LS0t9++w3DsOnp6bKysh9//BG9zgtdQ/3Hjx83GAyrVq368ssvMQz7559/Dhw4YDAYXnvttS+++OLZs2c8N0UFRFVNTk5u3bpVq9VWVFScPn2au/nDBmfZsmV//vlnaWkp6g+FQuXl5cpjjmGYyWT69ddf2ea1a9ekJIUC3JRJzfjs2bMjR46sXLmytLR0+/bt09PTQme5GyZS0eatPVE7WV9MJtMvv/wyD49EvVDJBSnbbt269fbbby9btsxgMGzfvv2vv/4Syjx58mTfvn1arXb16tWff/651CoSzshl9erVR48elQ+OVKDyLfVA3iH/mhOJRDAM27NnTzweD4VCdXV1ra2t6FIgECAIIp1OZzIZbjMcDmMY1tjYGI1GQ6HQmjVrPB4PGkKSpNfrTSQS4XC4r68vHA6LTlpfX3/x4kVh0+v1bt68GXV2d3fjOH7p0iXUrKysHB4elhfo6OiQH84zo7u7e+PGjQzDtLW1NTc3s9EQuob6d+3aRdP0Dz/8EAgEGIbZu3dvQ0NDNBqdmJhYu3bt2bNnefpFBURVbdu2zel00jQdCoWqq6u5mz+8WLGpKS8vv3nzpkzM9QJ4SoxGY11d3cjIiDBBN2/erKurMxqNomZIzdjT01NTUzM+Ph6Lxdrb230+n9BZ3n6O1ELirj0ZO3PxSNQLlVyQsu38+fNfffVVMpmkadrlcjmdTkawWdTZ2bljx45wOOz3++12+7lz5xiJVcSdUXTHScnu9wuaemARUVRjHj58iJo3btyorKxkL4muSDQkGo2i/oGBgZqaGoZhEokEjuOiW67RaNRisaDPqVSKIIhEIiFsxuPxkpISpMFms7ndbvbWv3z58tnZWXmBaDQqP5xn1ezs7JtvvunxePR6PU3TMq6hftZmhmEymQxBEOx3bHBwsLa2lqtcSkBUlUajYSUHBgbYGsOLFSIWi1VWVqLyKRPzmACeQCqV6unp0el0TU1NwWAQdQaDwaamJp1O19PTk0qlhGbIzEiS5OjoKLdH6KzwRiOMNk9M1E5RlHsk5YVKLijxIhQKoTs7b6Ber2fNpijKZrOJWiU0bK415oVOPbCIzO3Mn3uCKlNjNBoN2+/3+0mSRJ937NhhtVrdbndvb+9PP/3EymQymXg8jj4PDAzU1dWxl3hNq9U6PDxM07TZbE4mkyRJZjIZr9e7bds2JQJZh/NAv6thX0GkXBN+Y+PxeFFREdsMBoPcRz8Zgayq/H4/mwJecBC1tbXcdyapmCskkUg4nU4cx1ETx3Gn05lMJrkyPDNEZ0wmkziOo2d2FqGzvBuN1EISDuTZmaNHol6o7YLQttHR0U2bNpWXl+v1ep1Oh/LOHZhIJDAMY99EdTqd1IIUGjbXGvMSpB5YFJ7rmf93333n9Xqrq6tnZ2fdbvcnn3yC+pcuXbpq1Sr0Wf5Xy/X19UNDQ99//31DQ8Mrr7xitVp9Pt/Q0FB9fb0SgazDedA0XVBQQNO0GtHIHeFvRicnJ8fHx9nAYtIxNwgQ6r979+7HH3/s8/m6urpQT1dXl8/na2tru3v3rpQZUjNiGLZ06dKF8Du7ncolRT3CZNeqGi6I2uZ0Ojdu3Ojz+SiKunr1qnBIOp0uKCgYGRmhKIqiqPHxcYqiVDLvRU89sGjIl6D5vcdgnPfcK1eusO+5XCiKMpvNvM5MJqPX69l9IV6TYZgbN27YbDaHw3H16lWGYfr7+9vb241GI/saJC+QdTiXZDJpNBovXbqk0+n8fr+Ma8Jnq1z2yoSqNBpNJBJBTXavTBgc1Cl1ysX8P+ZZ98paW1sJgnC73VNTU9z+qakpl8tFEAQ6mRM1Q3RGkiQpiuJezfowK7WQuGJSdgpR6JGMFyq5IGrb/fv3uc/mFEUJ32MYhiEIgrcNJWqV0LB5nMe8uKkHFpH515hUKoXjOLsNyjbZ87pYLDYxMWG1WtF5nd/v37Jly/Dw8NTUVDQa3b9/f0NDA6sZbeP6fL41a9awnbwmgiRJkiSRfCwWW758udVqVS4gf5W7m9zW1tbU1MQwTHd3t91uZzhHkTzXRL+x+/fvdzgcwjN/dgpRAVFVjY2NTqczEolMTEywZ/6iweG5IB9zeVpaWtjCJiQSibS0tAjNkJmxp6fHZrOhg1/07KnkRiOMNvP/tSdv5zw8kvFCJRekbCNJsr+/P5lMBoNBp9OJ8v7w4UMcxwOBANp9am1tra2tnZiYiMfjJ0+e7OrqYiRWEXfGaDTK3YwSWs4wTCgUEv3Tohcx9cAiMv8awzCMx+MpKSn5+uuvuc3Tp08TBHHixAmSJFesWLFr165Hjx4xDDM7O+vxeKqqqoqKikiSbGlpQQfp3Fk6Ojo6OztZ/bwmorm5ubGxkW3W1NTwZOQFZK5ynR0ZGSEIAj1JpdNpi8Xy7bffIgGha1Jf6Q8//FCv15vNZo/Hg+4IvBNLeQEWmqYbGhoIgrBYLCdOnEApEA0OL0EyMV8oeGbIzJjJZA4ePKjX6zUajdPpnJqaynqjEY02grf2FhYpL56zCz6fr6amRqPRGI1Gt9vNZvbw4cPswHQ67XK5zGZzSUlJfX09eqsQXUXcGdPptEaj4Z2T80Zdvny5urpaJkovZeqBBSdLjZkHUutbCVVVVT///LNUc9HJxbWFIhAIoPPPPAmOembkQ7RzJJ9daG9vF/5ghAU9V3m9XhkNkHpACfjzPf3Jwp07d2SaAIZhFEVVVlZieROcPDEDmCu9vb0yPxAoLi6+ePHi+vXrZTRA6gEl5FeNAUQ5duxYeXm5w+EIh8OdnZ2fffbZYlsEvPAUFhauW7dORkC+wACAQvLx/5UBPOx2e39/v9lsbmlpaW9v371792JbBAAAoIglDMMstg0AAADAywm8xwAAAABqATUGAAAAUAuoMQAAAIBaQI0BAAAA1AJqDAAAAKAWUGMAAAAAtYAaAwAAAKgF1BgAAABALaDGAAAAAGoBNQYAAABQi/8A9twuasokCIkAAAAASUVORK5CYII=) \n--- \n \n**Screenshot:** ![xpro.org vulnerability](/twimages/screen-1111910.jpg)\n\n**Mirror:** [Click here to view the mirror](<http://1111910.openbounty.org/mirror/>)\n\n### Coordinated Disclosure Timeline\n\nVulnerability Reported:| 6 March, 2020 15:37 GMT \n---|--- \nVulnerability Verified:| 6 March, 2020 15:52 GMT \nWebsite Operator Notified:| 6 March, 2020 15:52 GMT \na. Using the ISO 29147 guidelines| ![](/images/done.png) \n---|--- \nb. Using publicly available security contacts| ![](/images/done.png) \nc. Using Open Bug Bounty notification framework| ![](/images/done.png) \nd. Using security contacts provided by the researcher| ![](/images/done.png) \nPublic Report Published \n[without any technical details]:| 6 March, 2020 15:52 GMT\n", "published": "2020-03-06T15:37:00", "modified": "2020-06-04T15:37:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.openbugbounty.org/reports/1111910/", "reporter": "g0bl1nsec", "references": [], "cvelist": [], "lastseen": "2020-08-22T22:19:10", "viewCount": 5, "enchantments": {"dependencies": {}, "score": {"value": 0.7, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.7}, "openbugbounty": {"patchStatus": "unpatched", "mirror": "http://1111910.openbounty.org/mirror/"}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645663804, "score": 1684004500, "epss": 1679002791}, "_internal": {"score_hash": "dd334fb386e23c454d47e31e167aaad8"}}