logo
DATABASE RESOURCES PRICING ABOUT US

smapp.rand.org Cross Site Scripting vulnerability

Description

Open Bug Bounty ID: OBB-1156806 Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[smapp.rand.org](<https://smapp.rand.org>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[XSS (Cross Site Scripting)](<https://www.owasp.org/index.php/Cross-site_Scripting_\(XSS\)>)** / CWE-79 CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **ELProfesor ** Remediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAIiklEQVR4nO3bX0hT7xsA8NdpNteZunRL18xNwryrUMTCSLowsyFFRVEri8IgREwqYlCtvFAygyjMm0C7qLsuRoRIEMgYYmbL/LNUbJu6ic3V4mhTdPtevHA4v/Nvc+6o+Hs+V+c95937POfhPb7bOZ64UCiEAAAAABFI1jsBAAAAmxasMQAAAMQCawwAAACxwBoDAABALLDGAAAAEAusMQAAAMSycdcYnU737ds3viaIDpQRQREAWEMbdI35/v17MBjcu3cvZxNEB8qIoAgArK0wa4zT6ZTL5ZyH/H5/Q0MDX3OVzGZzRUUFX3OzcjqdCoVCvPHFKyM988hnws2bN5OSktrb29mj8c261SSGQRHCdo5VXAAQQigkyOFwEAQRySGBnlEoLCzs7Ozka25WDocjNTVVvPHFKyM98whngtfrlUgkNpttaWmJfTQQCMQ8MQyKELZzDC9kABLWe43j4PF4RkZGSkpKOJsgOhutjCRJymQyvntWW7duFSMoFAGANRbR85hnz57pdLq0tLSLFy/6/X6EkN/v12q1JEnGxcW1t7fTm0+fPpXL5U1NTTt27FAoFJWVlf/+/cPjfP78+dChQ3K5fOfOnadOnRoeHuYMZzabS0tLt2zZwm5yjoB/3Tc3N+t0um3btp09e3Z2dvb27dtKpTItLe3KlStzc3NUAgcOHEhKSlIqlWfOnJmamsKfZWfLt58O92loaFAqlZmZma9eveIMwchQoVBcuHABlxEhNDU1dfToUblcvmfPnjdv3nAWZG5u7vr160qlMisr6+HDh8vLy3zRPR7P8ePH5XK5Tqdrbm6m3yEJW8aFhYWrV6/K5fLs7OwHDx7Qo0SeOWNi8CU/OzvLmDD0E2HcrolJYlAEztnLN8PZl3wkVwQAbOHXGJIkbTab1Wrt6elxu913795FCKWkpNjtdoIgAoGAwWCgN0+ePEmSZE9PT29vb29vb19f3+PHj/FQer3+8uXLLpfLYrEUFxdLpVLOiAIPY/hGwElaLBabzeZ2u/Py8rxeb39/f3d3t8PhMBqNuFtfX19VVdX09PTAwIBGo6mursaf5cyWbz+jOHa7fWBgoK2trbi4mC8E7tnf34/L6HK5qJSqq6uTk5OHhoY+fPjAt8bU1NS43e6+vr6Ojg6z2dzS0sIXvbq6OjExcWxs7OPHj69fv+arKmcZHz16ND8/39/f39HR0dXV1draGkXmjInBl3xaWhpjwjBOhC4miUER2ARmPvuSF+gPgBDhW2kOhwMh9PfvX9y0Wq05OTnUIc7nMfgjLpcL73/37l1BQUEoFPL5fAkJCZy3mF0ul1arxdskSRIE4fP52E2+EXDEP3/+4KbFYpFIJPPz81TOu3fvZgcdGxvLyMjgy5ZvPzsulSpfCHYZLRYLLuPS0pJUKqVHYd83X1paIghifHwcN81mc1FREWd0PBrVkz5aJGVMT08nSRJv22y2wsLC6DKnTwy+5EOsCUM/EcbUilViUAQ64ZnPvuQjuSIAYAv/PIYgCOo3u1qt9vl8YT8ilUqzsrLwdl5ensvlQggpFIrTp08XFRUdOXJErVYXFBQcPnyYGtZqteLtzs7OwsJC6iYPvSkwAkEQKSkpeFuj0SQnJyclJVGDe71evP3169c7d+4MDQ0tLi4Gg8FgMMiXrcB+RnEY/7HDGYJRRo1Gg8s4MzODEKJHYYeYmZlZXFzU6XRUH3y1s6PPzMwEg0F6T+pQ2DL+/v3b6/VqtVrcPxgMJiQkrDJz4eSFy0iJYWJQBAa+Gc53yUdyRQDAsKbP/N++ffvly5eBgQG3211XV3fw4MHnz58jhOLj4zMzM3Ef4f9a5hshQidOnLh27Vpra6tUKp2cnCwrK4vRma1piCiELaPRaJRIJL29vdQfL4lkQ7w7FQgEYpUYFAGAtSfKGhMIBCYmJvBXnpGRkV27dlGH8vPz8/PzEULl5eV6vZ6xQiwvL79///7+/fuczUhGEPDr1y+3233v3j3cpH7c8GUrcBYrDcFHpVIhhOhROPskJib+/PkTfxG22+3U91l2T4lE4nQ6s7OzcU+8P8IyymQyn8+3f//+sKcZYeYrSp5PZmZmTBKDIrCtdIZHcUUAEP23ofT09EAgMDo6ytmsq6ubmpoaHBw0mUx6vR4hNDw8fOzYsU+fPs3Ozk5MTLx48WLfvn3UaAsLCwghq9WakZFB3VVgNIVHCEupVG7fvv3ly5d+v390dNRkMlGH2NkK7MeprjQEp/j4+LKyMnoURkFwn3PnztXW1k5MTOA+58+f5xtNr9fX1tY6nU76aBGW0WAw3LhxY3Bw0OPxNDU11dfXR5c5fSZEnryAmCQGRcAYs5dv5vNZaX8AVvYOJuNlLpPJJJPJ2tra6M3m5maCIBobG1UqVWpq6qVLl/Dj98XFRZPJlJubm5iYqFKpDAbD9PQ0I8qtW7eMRiM1PqPJN4JwkvRmV1dXQUGBVCrNyMioq6tLTU3Fn2VnK7yfszh8IYQznJycLC0tJQgiNzf3yZMnnP1JkqyqqkpPT9doNCaTCb+vxxl9enpar9cTBKHVahsbG/FoEZYxEAjU1tZqNBqZTFZeXo6fUa80c/bE4Ew+9L+PuxknwtgTk8SgCCGu2Ss8w+lj8vUHQFiYNSYKq3lPODc3t7u7m68pBr5sN8Hbzna7XaVShdakjBsfFIFhpTN8E1wRYF1srPf8f/z4IdAEK2Kz2XJychCUESEERQBgnWysNQasUn19vVqtrqioGB8fNxqNjEfcAACwxuA/IDeVkpKSlpYWjUZjMBhqamoqKyvXOyMAwP+1uFAotN45AAAA2JzgdwwAAACxwBoDAABALLDGAAAAEAusMQAAAMQCawwAAACxwBoDAABALLDGAAAAEAusMQAAAMQCawwAAACxwBoDAABALP8BBkhbqX2pMT8AAAAASUVORK5CYII=) --- HTTP POST data: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAJeklEQVR4nO3cfUhT3xsA8JvMtdx8m9syZ32nhUmEidmLZFE5KkRkYKmpqJVYipmJRYrFElNJi5gh/lGiIgYRIgZSUCbDRNRsjaVy0dQ118r5Mrvq1MX9/nHgsp970V9fb5Y9n792z557znPugftwz51uIEkSAwAAAGjgsNYJAAAAWLegxgAAAKAL1BgAAAB0gRoDAACALlBjAAAA0AVqDAAAALpAjQH/yYcPH9LS0mx9u7i4ePbs2a9fv/7KlAAAvw+oMeA/SU5OFolEtr51dHRkMpk5OTm/MCMAwG9k1WrMyMiIs7PzrznrJ5SXl/v4+LDZ7AMHDrx+/XpV+qQj+ZGREXd399Xtc3UZDIbi4mL0eXx8XKlUZmVlocOxsbH4+HgPDw+hUHj16tX5+XkMw7Kysl69erVm6QIA1tRf8RxTXl7+4MGDqqoqtVp9/fr12NjYt2/frnVSf6qpqamioiL0mSAIJyenjRs3osPExEQWi6VSqeRyuVKpzM/PxzCMy+USBLFm6QIA1hRjjYdnMPz8/OgepaSkpK6u7tixYxiGRUVF6fX6kpKS58+f0z3uX2VmZqa1tVWv17PZbAzDSkpK4uLiSktL1zovAMBaWuY5Zsl2ELWTg9qLi4v5fP6WLVseP3687EhDQ0NsNvv9+/cYho2Pj7u7u79580YoFL57946Kefnypf1OzAO6uroOHz7s7OwsFAqjoqL6+vpiYmLu3LlDBYSEhNTU1BgMBq1WGxoaSrWfP3/+4cOHlp3PzMxcvHiRz+dv3br19u3bP378QNO8d++ej4+Pu7t7fHy8wWBYdqaW/VAJh4SEbNq0ic/nnzlzZnR0FLWPjo6ePHnS2dl5586d9fX1dnpG+ZSWlm7evNnd3T0pKWlubg6zsRxW0zCfEZvNjomJGR8fv3btGp/P9/DwOHfu3MzMjJ2BDAaDSCQiCGLDhg01NTXmubHZ7Lm5OVRgMAxbWFhgMpmWU1h2iQEA68nP75URBNHf369Sqaqrq83v4Ajfgo+PT15eHtq7v3XrVnh4OHqwMJecnBwWFmZedShdXV1hYWHJyclUS0RERHJyslqtbmtrCw0NZbFY0dHRjY2N6NsvX74oFAqJREIQBIvFcnR0pE50dHT8559/LIfIzMzUarU9PT0vXrxoamqqqKhA01Qqle3t7Z2dnWq1Oi8vb9krY7UfDMN6enpSU1N1Op1KpfL29s7IyEDtGRkZLi4uvb29zc3N5jXG8hqifDo7O7u7u7u7u3t6eu7evYuCLZfDVhoEQSgUira2NoVCodVq/f399Xq9Uqns6OgYHh6mJmh1IFdX1/7+fg6HYzQaExIS7FyEwsLCxMREy3Y7SwwAWIdIu4aHhzkcjvmhm5sb+oBh2MTEhK1IjQWSJBcWFvz9/aVSKY/H0+l0lsMRBFFUVMTlcqOjo3EcR404jkdHR3O53KKiIoIgUOPExASDwTAajeanz87Ouri4qNVqkiQrKioiIyOXJJaTk8Pj8Xg8nq+v75KhTSYTh8P59OkTOmxqajp48CCa5vT0NGpsa2szP3HJlO30YznTgYEBT09PFM9isVDOJEk2NDSgK2z1GqJ8zIODg4NJa8thKw0UOTU1Rc3IwcFhdnYWHba3t+/YsYMKsxxoyaytXgGSJKVSqVgsNplMljFWlxgAsF79fI1ZcnOxdbtZAv3ESCaT2YmZmJiQSCQMBgMdMhgMiURC3RYpsbGxgYGB2dnZZWVlra2tVCPqXCwW19XVkSSp0WhYLBb6dmpqSqPRdHR0UPdxilarZTKZ1CGO456enramb2fKVvtBn3t6esRisZeXF4/H43K5qCutVkulR5Jkb2+vZW7mIy4JFggEVjOxlcayM6LW1+pA5ApqTGNjo6+vr16vtxOzZIkBAOsVXb8rs7rPg2GYTqdzcHDQ6XS2ThwcHMzIyJDL5QUFBailoKBALpenp6cPDg6aRz558uTRo0cBAQELCwvZ2dmXL1/GMAxtl01OTnZ2dkZGRmIYhjZ2FhcXMQxzdXUVCoVMJtPJyYmmidshkUiOHDkil8sVCkVzc/Oy8bau4e/s48ePly5damho8PDwsBVjucQAgPVqmRrD5XJnZ2e/f/+ODjUazQr7VVjAMMxgMOTk5NTX11dWVvb19VmelZaWFhgY6OnpieN4bm4uaszNzcVxXCAQBAYGLvmT8r179yYlJeXm5lZVVaE3MeHh4QqFora2ViwWo18ruLq6enl5tbe3U2e1tLQEBAQsGVogEDCZzKGhIXTY399v508L7bDVz9jYmFarvXnz5vbt24VCIYvFouIxDPv8+TM6xHGc6srqNTQajebB27Zt+7/SWLkVDmRucnJSIpHcv39/z549tmKsLjEAYN1a9kln//79KSkpOp0Ox/HQ0FBbe2XT09MMBqO/vx/twluVnp4eHR1NkmRhYeHRo0ctAxISEoaHh22dPjw8nJCQgD739vaeOnWqpaVFr9er1eqUlJSIiAj0VVxcnIuLy9OnT6kTZTKZr69vS0vLt2/f6urquFxue3u7Zf8pKSmRkZFqtVqlUgUFBclkspXslRn/l8lksuwHxQsEgoqKiqmpKRzHJRIJ1ZVEIjl9+rRGo1GpVIGBgfb3yjAMMw+WSqWkjf0oq2msfK/M6kAkSRIEwWAw0KsUtVpNbamZTCaxWJyZmWl+NUiSHBgYMB/C/hIDANaZ5WvMwMDA8ePHORzOrl27ZDKZrRpDkuSNGzecnJyqq6ut9tPd3c3hcNBrZKPRKBKJamtrfzrvhYUFqVTq5+fHZDIFAkFCQgL1I4LGxkYOh0O9x0ZkMplIJGIymUFBQS0tLVb7JAgiNTWVx+N5e3tLpVKTybTsHdmyZldWVlr2g+LlcnlwcDCLxfL09MzOzjZ/t3/ixAkOh+Pn51dWVma/xnA4nJKSEoFA4ObmlpiYiKZpdTmsprHyGmN1IEQqlaKFNhqNLBYL1RvLq4G6evbsWUBAgK0ZAQDWtw0kSdL8pARWzcjIyO7du6mty99hoCtXrqhUKlv/nmd+ft7f3z8/P//ChQurnSMA4A+wxn/nD/50ZWVl6EWRVRs3bqyrqzt06NCvTAkA8Pv4K/5fGaCPo6Pjvn377ARAgQHgbwY1BgAAAF3gfQwAAAC6wHMMAAAAukCNAQAAQBeoMQAAAOgCNQYAAABdoMYAAACgC9QYAAAAdIEaAwAAgC5QYwAAANAFagwAAAC6QI0BAABAl38BowC3A3Uix8sAAAAASUVORK5CYII=) --- **Screenshot:** ![smapp.rand.org vulnerability](/twimages/screen-1156806.jpg) **Mirror:** [Click here to view the mirror](<http://1156806.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 6 May, 2020 12:48 GMT ---|--- Vulnerability Verified:| 6 May, 2020 13:02 GMT Website Operator Notified:| 6 May, 2020 13:02 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 6 May, 2020 13:02 GMT