Lucene search

K
openbugbountyGeeknikOBB:1121280
HistoryMar 20, 2020 - 1:34 p.m.

hermandot.co.jp Cross Site Scripting vulnerability OBB-1121280

2020-03-2013:34:00
geeknik
www.openbugbounty.org
7

Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:

&nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence;
&nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence.

Affected Website: hermandot.co.jp
Open Bug Bounty Program: Create your bounty program now. It’s open and free.
Vulnerable Application: Custom Code
Vulnerability Type: XSS (Cross Site Scripting) / CWE-79
CVSSv3 Score: 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N]
Disclosure Standard: Coordinated Disclosure based on ISO 29147 guidelines
Discovered and Reported by: geeknik
Remediation Guide: OWASP XSS Prevention Cheat Sheet
Export Vulnerability Data: Bugzilla Vulnerability Data
JIRA Vulnerability Data [ Configuration ]
Mantis Vulnerability Data
Splunk Vulnerability Data
XML Vulnerability Data [ XSD ]

Vulnerable URL:

![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAQhklEQVR4nO2db0xT1xvHr4CswEX+tvxpHRQNEEKQOMLYwjKnRhkjBBHROTZwIwwJLh1xTjBjHS7oUNzG2GYWtykvpi+MMYQYR8hMOsKcInZYESsglAINtgiuakHg/l7c7Pzu7r3n9hZaq/P5vLrn9J7nPOc5Rx57zu33LqEoigAAAAAAF+DhbgcAAACA/yyQYwAAAABXATkGAAAAcBWQYwAAAABXATkGAAAAcBWQYwAAAABX8UTkGKVS+ddff+GKwGKAYAIA4Ebcn2OuXbs2Pz+/atUq3iKwGCCYAAC4Fzs5ZmhoyN/fn/ejqampAwcO4IriaW5uzs7OZhUF+n2iGBoaCgoKEr5nwZER6FRkcFBs7969u2PHDqlUKpfLP/7440ePHi2g3w8//NDHx+fEiRMLcFVMoJyOyEA5fYIAAPg/lCCDg4MkSYr5SOBOYVJTU1tbW1nFBVt7zAwODgYGBtq9x+ljsdlsYm5Dsc3Ozt6+fbvRaOzt7U1PT9+7d6+jPZrNZg8PD61WOzs7K74VGruYQLkCMYF6WhYbADyNuHmvbGxsTK/Xr1mzhrcI4Hjuuefs3oOC+fDhw66urh9++EEul8fFxR05cuT06dOO9mi1Wn19fVetWuXp6Sm+lZeXV2xsLPPiMSMmUAAAuA5ROebrr79WKpUhISFvv/321NQUQRBTU1PR0dFWq3XJkiUnTpxgFo8cOeLv73/o0KGwsLCgoKDCwsKHDx/iLDc3N2/YsGHp0qW8RW6/BEFMT0+/9957/v7+UVFRn3766dzcHPHPrsiBAwekUmlERMSPP/5I19TX1yuVSj8/v61bt1oslo8++kgqlYaEhOzYseP+/fu0wcuXL7/00ks+Pj5SqXTLli0jIyPIIN08KCjorbfeQg6MjIxs3LjR398/Li7ul19+QWO5f//++++/L5VKly9f/tlnn9GOsQLFHPvc3FxlZWVYWJifn9+WLVssFouAHSbMDSiBUKNg+vj4DA8P+/n50fV9fX2RkZH0wF955RV/f3+5XL558+YbN27gpslisTBHgfOQWy+Xy69cuUIQhFwu//PPP5HBX3/9FdcX6wack9zo4dYAM2jcWAlMEAAAi8d+jrFarVqttqOj49KlS6Ojo3v37iUIIiAgoLe3lyRJm81WUFDALG7atMlqtV66dKmzs7Ozs7Orq6uurg5nnPcwRqBfgiBqamoePHjQ3d19/vx5jUZz9OhRdH9vb69Opzt+/Hh6ejqy0N7ertVqR0dH4+PjzWZzd3f3xYsXBwcHq6qq6IZdXV0lJSUmk0mn0ykUivLycmSwu7ubdsBgMKD7y8vLly1b1tPTc+7cOWaO+eCDD0ZHR7u6us6fP9/c3Pzdd99xA8Uce11dXVtbW1tbm16vj4yM7OnpEbAjMDu4ULNiS3Pz5s3du3cfPnyYIIisrKyioiKDwdDe3p6eni6RSAiCkHIgCCIkJIQ5CpyH4j0vKipat24dnX5YXL58ed26dUVFRXSR10lc9LhrwG6sBCYIAAAnILyVNjg4SBDEvXv36GJHR0dMTAz6iPc8hm5iMBjo+jNnzqSkpNDXBoMhOjoaNbFarSRJTkxMcIsC/YaGhlqtVvpaq9Wmpqai+5EpVDM5OUkX29vbPTw8Hjx4gAyuXLmSO96+vr7w8HCuA+3t7bQDs7OzEomEOTr6mGF2dpYkyYGBAbq+ubk5LS2NN1AImUzW1dXFqhSwwxya3VCzYktjNBpjYmJOnTpFUdTExISXlxf3uMLIgdUpzkMxniOsVmttbW1wcHB+fr5er6cr9Xp9fn5+cHBwbW0tPcU4J3mjx7sGUOQFYgXnMQDgOrzsJiGSJNGGQ2Rk5MTEhN0mEolk+fLl9HV8fLzBYEDNOzo60G2tra2pqanocSNWkbffu3fvms3m6Ohoun5+ft7Lywvdz3pyiSTJgIAA+lqhUCxbtszHxwcZNJvN9PXVq1f37NnT09MzMzMzPz8/Pz/PdUChUNAOjI+PEwTBHB19MT4+PjMzo1QqUT39Rw3H1NTUxMREUlISq95RO7hQs4JJk5eXp1Kptm7dShBEUFBQXl5eWlra2rVrIyMjU1JSXn31VYIg5HK5QHcCHjrkuZ+fX2VlZWlp6bvvvpuQkEA/55aQkJCVlTUwMIBmDeckLnrcNSAmVgAAuA77OcaJeHp6RkREoKLARhkOm83m4eHR2dmJUouHx2IfW8jJySkuLj569KhEIjEajRkZGYs0KB6Hzs8dghvMsbGx7u7uP/74A9WcPHnyypUrOp1udHS0oqLi5Zdf/uabb+jNMSZ37txxhYf9/f3V1dUajaampoauqampOXz4cFlZWU1NzYoVKwScpD9yXfQAAHAWLnmuzGazDQ8P09d6vf7555/n3jM3N9fS0oL+DrKKOCIiInx9fScmJuT/wExaC+DOnTujo6OffPLJihUr5HI52u7HIZPJCIJgjg7Ve3t73759my729vaiL1u8BAQEBAcHc3+B76gd3lDzBlMmk+l0OlbzF154obCwsLKy8qeffjp79ixBEFoOIj10yPOdO3cmJyeHh4fr9frKykq6srKyUq/Xy2Sy5OTknTt3CjiJi54wYpYlAADOZeE5JjQ01Gaz3bp1i7dYUVExMjJy/fp1tVqdlZWFWk1PT9MXHR0d4eHhaGuFVRSgoKCgrKzs+vXrY2Njhw4d2r9//4KHQBCEVCoNDg7+/vvvp6ambt26pVarhe/39PTMyMhgjg7Vb9u2TaVSDQ8P0/Xbt2+nP2JFBkVApVKVlJRcu3ZtZGRk165dv//+u4Ad1IoLN9S8wfT09KQfJ6O5cePG66+/fuHCBYvFMjw83NjYmJycTBCEnAM3ArweCkSAi9Vq1el09fX1ISEhzPqQkJAvv/xSp9NZrVYBJ3HRswvvsmRNEAAAzkT4uIZ7sM/8JZ1arfb19T1+/DizWF9fT5LkwYMHZTJZYGDgO++8g07amdZ2795dVVWFTLGKAv3abDaVSqVQKHx9fTMzM+lDZu6xrbDnzKJGo0lJSZFIJOHh4RUVFXS9QHOj0bhhwwaSJGNjYw8fPozqrVZrSUlJaGioQqFQq9XM3yqiQDHNzs7O7tmzJzQ0VCKR5OTkmM1mnB2Bxyt4Q80KJm8EZmZm1Gp1bGyst7e3TCYrKCgwmUwUHqYPuJEKRGBhCDjJjZ7wGsDFioa1kgEAcBZLKIpybtIaGhpKTEz8+++/hW+Li4tramp68cUXeYuAACjCuFBDMLmIXJYAADiXx3rmz+TmzZsCRWAxQDABAHhCcLOWDKj6O8qjR486OjoUCoXrunD7LLjdAQAAnIXbvscQoOq/IEpKSpqbm48dO+Yi+26fBbc7AACAE3H+95ioqCiRu94L+H3M4nHWWwMew9sHeDXnf/75Z4vFsmnTJsKRUIuHOQvT09NvvvmmwDBdEQSnLAOuY9xYPQZJf/e+2gAAngTcuVfmlhzzFDE5OVlbW/uYO0WzMD09nZGRMTs7K3BzVFQUkktwugOLQYxjbgkvADxruC3HgKr/EwhzFkwm0/r162n1TAGcK57vxGXwJKj6u/3VBgDgduznGK64OldEncAr1eMQUPXnlY4X0LHnqv0LKPPTfPHFFyw7rN0V5ubG2NjYG2+84e/vr1Qq6+vrmZseXDvC/nPt41xlac5/++23GzduRM337dtXWFjICim3X96ZEhgOcxaioqL27dsnPInMQfGK8IvX8Oc6wGtQjKQ/IeL1B1xJf/Gu3r5928/P7+rVqwRBWCyWoKCgCxcu8DbBvdoAAJ4d7OcYXnF1rog6r9Y6r1A8jcBGGU4iHqdjz6v2j1Pmpz/q/AfhVw/QlJeXe3t79/X1tbW1NTU12bXjkDg/zlWW5nxOTo5Go0EnCs3Nzbm5uSw7vP1yZwo3HO6kOATvOhGv4c91gNeg6yT9xbuqVCqrqqpUKhVBENXV1ZmZma+99hohuNoB4NlF+CeavOLqXBF1CqNUjxOKF1D1x0nEC2izc9X+ccr8AnZwP+ynxfyRP0jMH2dHwH9e+8KuMpukpaWdPn0a1bMmhbdf7kzhhsOdFF4fWKBPcSL8IjX8uQ7gDIqR9Kf+LYWAWzasoTnk6szMTHx8vFqtDg0NRdIDuNUOAM8ydp5dxomrs0TUcVrrOKF4AVV/AYl4Xm12nNo/rzK/gB0c4+Pj8/PzTH+E7Tgqzi/sKpOcnJyWlpbNmze3tLRkZmayzhtw/bJmSmA4vK8DEAlunYjU8Oc6wGvQpZL+Drm6dOnSxsbG9evXNzQ0hIWF0ZV2X4sAAM8g9vfKTp48eezYsaSkpJmZmYqKil27duHu5Gqt43YPnPhEGVL7p0WCu7u7uVLB/w1yc3PPnTtHEERLSwt3o2zxLPKBLtw66e/vLy8vZ2n4azSasrKy/v5+AQdwBl0n6S/eVYIgTCaTh4eHyWRCNbBXBgA8OPStR6vVKhQK3v0TmUym1WpZlby7B7Ozs6GhoWi7hlsUs1d29uxZtOlBkiR3/wSnaImzc+/ePQ8PD+aeFXOvbHBwkK7H7ZUhOzj/cfaFXWXFOTExsa2tLTAwENlB4PbKWBZww2HNAi6SIj+l1wlFUaWlpSRJVlRUIMVPGrPZrFKpSJIsLS1FjvE6wDLIXWa8PuD2ypjLhtVQvKsURU1OToaHh586dSo4OLinp4euhL0yAOBiJ8f09PRkZGT89ttvZrPZYDAUFxdnZWXx/quura1NTU3t7u42Go30fwZxNjUaTWJiIq5IUVRxcXF2drbBYNDpdKtXr25oaKD++WORl5dnNBp1Ol1ycrJarabvLy0tTUtLo19jVVdXV1NTYzfH8NpJTU0tLi42mUx6vT49PR01ycvLy8nJGRwc1Ol0SUlJzBzDa4fXf5x9AVetVquXlxc6G6Aoqrq6OikpKSsrC9UwTyy4/fLOFO9wuLOA/GFZYPaIPuVdJxRFFRQUoHzGa7ygoIC+ZjmAM8hdZmJyDO80scIr3lWKosrKyvLz8ymK+vzzz9esWYNrBQCAnRzDK67O+68ap1TPRVjVn8JIxAtos3PV/u1+Oairq+Pa6evrW7t2LUmSCQkJDQ0NqInJZMrKyiJJMjo6+uDBg8zcwGsHJ3HPa9+htyfQ24CoyD21Fn4pgMBweF8HwOseb9HRNwVwYTmAMyhG0p/6d45xuqR/Z2cnSZL0dyObzRYdHd3U1OSQBQB4dnBsr8wpxMbGXrx4EVfEIbxp89jo7e2VyWTu6t1qtUokEtYzVIsBDUfkLLBw4qQszAG7PCHLBgCeWdygiflUq/prtdqYmBh39d7a2pqenu5E5Ss0HLfPgtsdAADAFbhTd/lpYf/+/ZGRkdnZ2QMDA1VVVdXV1W5xY2pqqrGxcdu2bYu046zhPIa3DAAA8NTj7i9SYnHjpodGo1m9erW3t/fKlSu/+uort/hAUZS3t3dubi73Z4mO4qzhFBUVBQcHnzlzZpH+uBTYKwMA9+L8dy0DAAAAAI2b34MJAAAA/IeBHAMAAAC4CsgxAAAAgKuAHAMAAAC4CsgxAAAAgKuAHAMAAAC4CsgxAAAAgKuAHAMAAAC4CsgxAAAAgKuAHAMAAAC4CsgxAAAAgKuAHAMAAAC4CsgxAAAAgKuAHAMAAAC4CsgxAAAAgKv4H0L0jEs8PB3/AAAAAElFTkSuQmCC)

Screenshot: hermandot.co.jp  vulnerability

Mirror: Click here to view the mirror

Coordinated Disclosure Timeline

Vulnerability Reported: 20 March, 2020 13:34 GMT
Vulnerability Verified: 20 March, 2020 13:41 GMT
Website Operator Notified: 20 March, 2020 13:41 GMT
a. Using the ISO 29147 guidelines
β€” β€”
b. Using publicly available security contacts
c. Using Open Bug Bounty notification framework
d. Using security contacts provided by the researcher
Public Report Published
[without any technical details]: 20 March, 2020 13:41 GMT