Lucene search

K
openbugbountyImplosionOBB:1157537
HistoryMay 08, 2020 - 12:36 a.m.

livehome3d.com Cross Site Scripting vulnerability

2020-05-0800:36:00
Implosion
www.openbugbounty.org
7

Open Bug Bounty ID: OBB-1157537

Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:

&nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence;
&nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence.

Affected Website: livehome3d.com
Open Bug Bounty Program: Create your bounty program now. It’s open and free.
Vulnerable Application: Custom Code
Vulnerability Type: XSS (Cross Site Scripting) / CWE-79
CVSSv3 Score: 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N]
Disclosure Standard: Coordinated Disclosure based on ISO 29147 guidelines
Discovered and Reported by: Implosion
Remediation Guide: OWASP XSS Prevention Cheat Sheet
Export Vulnerability Data: Bugzilla Vulnerability Data
JIRA Vulnerability Data [ Configuration ]
Mantis Vulnerability Data
Splunk Vulnerability Data
XML Vulnerability Data [ XSD ]

Vulnerable URL:

![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAXBklEQVR4nO2dfUwUx/vAt+cJ53G8nXAKXL8CKjXWUIJK0FJjrfGFEnJaRWupUiWKhqIxaJBaSqlFomgspYQ0tlFDqGkMpcQQay+0uRBqEelJCcULVcTzoIgU6ElPPN3fH/Nzsp2dnd274+CA+fx1OztvzzPPznMzu/vsCyzLMhQKhUKhuAHZeHeAQqFQKJMW6mMoFAqF4i6oj6FQKBSKu6A+hkKhUCjugvoYCoVCobgL6mMoFAqF4i4818dERETcvHlT6JAyUZhSAzelhHUfVI2TCQ/1Mb///vuzZ89eeeUV7CFlojClBm5KCes+qBonGSI+5u7du76+vthTg4ODx48fFzp0kZqamuTkZKHDMYArOEEJEmsYG27durV+/Xp/f/9Zs2bt2rVrcHCQ36XAwMCx7NLYD9yYwTd4ICwy7hPCeEQth3HNeBwSx1GbGfsLjYCUaXB0p0rPx/l1zMDAQGFhodChi4y7j+EyZ86cvr6+8WpdOomJiVqttr29vbm52WazZWRkjHePJrOP4Rs8VtgJYTzuthyHlOCozXiUhqVMg6M7VXo+8vHuAIbu7m6TybRy5Urs4bjg7e09jq1L4fHjx1lZWTt37gT/6XJychITE8e3S54wcGMGFNZisSCnPNx4xsZyJCrBOZvxcA1PcSStYz777LOIiIiZM2e+++67YB09ODgYHh5utVpfeOGF8+fPcw9Pnz7t6+t78uTJWbNmBQYG7tix499//wX1XL9+/bXXXvP19Q0LC3vrrbf++OMPbHM1NTVr1qyZPn06crhhw4aTJ0+CxJs3b3p7e8NF/Z49ew4dOkTOMH/+fHJxIfHhYnzLli2ffvopTF+2bNn58+cZhnn8+PGuXbt8fX3nzJnz0UcfPX36lKA6hmEePXq0Z8+e4ODgF1988eOPPwb5QSunTp2KiIjw8fHZsmXLw4cPDx06FBwcPHPmzPfee+/Ro0egOLY5b2/v/fv3g34+efKkoqJi1apVDMPcv39/7dq1vr6+L730UmVlJVbAp0+fHjlyZNasWT4+Pps3b3748KHrnUTG8fr168uWLZsxY0ZwcPDmzZvv378Pa+ObilA6gzMh/t4U3NJxon6+1CDz8ePHg4ODQ0JCvvrqK4Zn/wzPaCeQ8QhZjkTjYRhG9MKESuD2MzAw8J133kH25aAayWPHHQ6uAWCVjLU9Bmf2X3zxxdq1a2HxDz74YMeOHViRsVMZ3yr4TfPzTHrEfYzVajUajQ0NDY2NjRaLJScnh2EYf3//9vZ2lUpls9lSU1O5hxs2bLBarY2NjU1NTU1NTc3NzSdOnABVJSUlpaWldXV11dfXJyQkKBQKbItCG2VJSUl6vR4kXr58+dmzZ1euXAGHer0+MTGRnEGn05GLi6oiJSWluroa/O7u7jYajTqdjmGYgoKC4eHhlpaWK1euGAyG8vJyguoYhsnKyrJYLM3NzVeuXKmpqSkrK+Pmr6+vNxqNFotlwYIFfX19LS0t165d6+zszM3NBdmEmgN89913SqWysbHxyy+/ZBgmMzPTz8+vra2ttrZWaJo4ceKEXq/X6/Umkyk0NLStrc31TiLj2NzcvHv37p6entbWVq1Wm5mZCWvDmoqLJgRxtH6s1Fartb29vbW19dy5cwkJCQzP/hkJOzyebzyI5TDSjIeRcGEiI9LS0gLk6urq4hoMokbC2CHDQVaykO3xzV6n0xkMhn/++Qd2ZuPGjUIi8+2QbxX8pvl5Jj8skc7OToZhhoaGwGFDQ0NkZCQ8pVKpuDnBISjS1dUF0quqqpYsWcKybH9/v1wut9ls/Fa6urrCw8PBb6vVqlKp+vv7+YcWi0WpVIIa4uLiDh48uG3bNtCin5/fyMgIOUNXVxe5OCI4lA7+Hh4eBvWwLFtWVpacnAwyBAUFWa1W8NtoNMbFxRFUZ7fbVSrV7du3QXpNTU18fDzMPzAwANLr6+tlMtnw8DAsPm/ePEJzkOHhYYPBsGjRovLycrvdrlAouGMREBDA179Go2lubuamuN5JZBy5dHR0zJ49mxU2FYdMiG+HUEZH68dKDTLzBeG2yxVW6LrwfOPhWg5oS4rxsBIuTGRygHLV19fD+YSvRsLYcYeDq3AhJUOg7bE4s2dZNj4+/tKlS7Ba7HxFmMqQ0cc2TcgzKRH3MYQLWMjHKBQKmN7W1qbRaMDvrVu3xsTEHDx4sLi4+Oeff4Z57Ha7xWIBv6uqqlatWgVPIYcxMTF1dXU9PT1arXZgYECj0djt9rNnz27cuFFKBtHiWMG5v7du3VpSUsKy7OrVqysqKliW7e/vZxgm6DlqtRrIK6Q6i8Xi5eUF000mE9byuKrmHgo1h1BbWxsbG2uxWJCx4E8TAwMDcrncbrdzE13sJMsbuObm5tWrV4eGhoI+g2xCpuKQCZFN1KH6sVILzQjcdK6wQtcFO0GMB1gOaEvIeII4gBTylcWdHAj9RNQoNHbIcCApfCVjbQ9r9izLFhUVpaWlsSxbWlqakpIiJK/QVIZ0Rsjsp5SPGdN7/t98882NGzdaW1stFsvBgweXL1/++eefMwwzbdq0kJAQkIf8RFliYqJer799+3ZSUpK/v39MTIzBYOCux8kZRIuLkpKSUlpampqa2tjYWFVVxTCMzWaTyWRNTU1y+f8rUyZz41tHQs09efLEaDQuXboUJEZGRvJvPhOYNm3a6PYTGTidTpeenl5eXq5QKMxm87p165yrlm9C2dnZo9Rl55H4KJRnGo8TlmM0GpEU168sZpSeQuQrmWB7fLPfuHEj2H+7fPlyWloaSOTLKzSVIYyW2U9syC7IuXUMw1nkVldXg0UugtFo1Gq1SKLdbg8KCoJbAcghy7INDQ1xcXHJycm1tbUsy5aVlWVlZc2ePRsug8gZRItjBef+ttlsarX6zJkz3KWPSqXiL7qFVEfY7pC4RMA2Z7PZ5HI53EOoqamJi4tDtjuqq6uF9sqMRiM3xcVOIgPX29srl8thNqPRCP/QYU3FIRMaGhqSyWTc7RehvTLR+oX2ysjrGERYwjrGM40Hazksb69MyHgA5CtLyjqGr0ahsSOvYxAlC9keizN7wKJFi/R6fUBAADQqMtypjNsZgtlPqXWM8z7GarXK5XKTyYQcAuPYtGmT2WxubW2NiYnJz89nWbatrW3dunV1dXV9fX1dXV3p6elJSUmwZrC5CbaDYSJyCNBoNBqNBuQ3m81+fn4xMTHSM5DPwj3WoaEhuVze3t5ut9sRJWzbts3Pz+/bb7+FKRkZGfHx8eBPzYkTJwoKCsiqS09PT05O7urqam1tjY2NBUt76dMEtjmWZZOSkrZu3Wo2m41G48KFC8vKyliW1el03LGAlXB3kwsLC+Pi4lpaWsxmc2ZmpsFgcLGT/IHTaDRlZWUDAwMmk0mn03F9DN9UHDWhuLi49PT0np4ek8mUkJCA+Bjp9WOlFpoRoMEjwnIth68xzzQerOUQjAcL4cqS4mMQNRLGjuxj+ErG2h4rYPYsy+bl5UVHR3NnJwTCVIbMitimkTyTHud9DMuy+fn5SqXy3Llz3MNTp06pVKqioiKNRhMQELB9+3Zw73FkZCQ/Pz8qKsrLy0uj0aSmpvb09CCtZGdn5+bmwvqRQ8C2bds2bdoED5csWYLkIWcgnEWEzcnJAdIh6dXV1SqVCt5QZVnWZrMdOHBAq9UqlcrExETwX4zsnnfv3h0UFKTVavPz87GTEWGawDbHsmxvb+/WrVsDAgK0Wu2xY8dAotlsXrNmjUqlioqKKi4uxv6Tstvthw8fDgoKUigUOp2ur6/PxU7yB85gMCxZskShUMyePfvgwYPcbvBNRShdyIQ6OjpWrVqlUqkWLlxYUlKCLLWl14+VmvCvExj8+vXrEWGh5fA15pnGg7UcVsB4hJByZRH6idgMeey47fJTECVjbY8VMHuWZcHOGJzW+BCmMva/s6JQ08jMObkR8TFO4MpKMCoq6tq1a0KHlImCxIGTcjvdFdxdP4Ba6aiAqHEcN5SsVqtCocA+EklxAs96z//WrVuEQ8pEYUoN3JQS1n14jhqvXr2akJAwxpH9JjEeGneZQqGMCjdv3ty7dy+SSIPnCzE4OAieWnZ3QxERETdu3Hj77bf/+usvd7c1vlAfQ6FMZtLS0sLDw7kpNHg+AXj7x62tgCFYvHixl5eXJzx8717Ge7PuP4CIpNLzO7Fp29/fn5aWFhQUFBoaevjwYe5LyB4I92Yp+Y4ruThl6sC9iPr6+mQyGfJG+rFjxzIzM8HvkpKSyMhILy+vmJgY8NgxBDzZBZDJZOHh4QUFBfARA/5McubMGXBKJpPBZ7RgVcjDfhCtVpuTkwOjbGBv6XMtv6SkJDw8XKlUxsXF6fV6bG/51YpKSmhUVCLsvNrW1gYzV1RUREVFcd/3hEPQ3NwM4w5MVjzLxzg6JzoxhyYnJ2/bts1sNre3tyckJOTk5HjyROyij2H/+4wyZSog9GoXJC4u7urVq+zz+Vqv1/f29lZWVqrVau5M2vk8mIrNZhseHgaBZ7iPVtv+C9f9REZGwog1LO69Olhta2vr8uXLjx49KtRhblngJ8BDw5cuXQoKCqqvr5dSrRRJhRoVlQg02t7eHhAQAH6///7727dvh5mjo6ORR8jgEHjy5DNaTC0fMzw8rNVqoa00NjbOmzfPk4fZbDaDwB5msxmJS0ahYCH7GIvFEhAQAP7gh4aG1tXVwVNnzpzhvhTCL1tfX79w4ULsKW4ppVIZGxubkZHBTRR6d5tl2YaGhgULFgid5ZZFOlxeXg47TK7WUUmRDpMl4qdYLBaVStXZ2cmybG1tbWRkJHcRwx0CT558Rgvx+zH8YOAuRqEXiu9NiHpNCMbO4EKgC+WfMWPGvXv3fHx8QMGOjo7Q0FBEXkIUemxM8u7u7jfffNPX1zciIuLUqVOij6M4pJOwsLAbN26AH7/++iuo4YcffiA3ATNgY6qTh0yKOEIB9pEA+NhPBmC5c+eOj4/Pb7/9xjDMw4cPAwMDf/rpJySPUNR9oUDxQnbLDwuPdJsQPB/JyUd6RHopQhFGSqgh0dDxMHj+4OCgxWLhxi1esWIFCLkthEKhsNvthAwAmUx24cKFc+fO/fjjj6KZGYbx8vIaGRkRzcbv8M6dO0tLS0WrdUJSBEclCgkJSUtLA4Gii4qKcnJyuEFrhD4DIXpdT1DEfQw2GLiLgcSx8b3JUa8Jgb6xIdCF8kNu3bqVnZ1dXFyMpBOi0GNjkmdmZnp5eXV0dOj1+gsXLsB6gnk4oRMsaWlpb7zxBvA9CNevX3/jjTdgnCVEgVKGTEgcLtjA5vyI69hPBmA1ExERkZube+DAAYZh8vLyEhMTX3/9daRRoaj7QkoTslukk/wUQvB8JCd2iB2KSC8klJSRwjYkGjoexgQDb4FwZzo/P7+hoSHsiDMM8+DBg6NHj4LvEYjy8ssv5+fn79y5E/vZZi5///13Xl5eenq6aJ38Dk+fPn3OnDmi1ToqKRbpEgFycnIqKyu///77zs5O5HoUCstGuK4nNqIrHX4w8E7XAol3Csf3Jrw0xwgH+uaHQBfKDzGbzZGRkRcvXiQ0yvKi0PP7DGI6wTftufHPzTyc0wkfq9VaWFioVqtTUlJgRAqTyZSSkqJWqwsLC2H93Ns5UoaMIA5EKMA+wwuAj42dLqSZkZGRBQsW5OfnBwUFcd+aBhCi7gspTchukbDwSAo5eD4iIF8QsqEixQlCiY4UwcIJe2WEbxCwLHv79m0kOgDzPEizWq1WKBQZGRlg3LmnAPAhAlit3W6Pj48HtyX4tzdgtTKZbN26ddxGhbatuKeys7NBDdypQ6haKZKS98rIEvGLADIyMhQKBQzMwx8CpGnsdT0JEPEx2GDgEgNXOBq3nH+Km0dKoG+uOQoFhwfEx8eDQE/8SqSE44YNIbHWscHzRfVJ1gmhKp1OB4PuyeVynU4H5yZENIlDJlEc0QD7rHDsdALgO1dwXLhIibrPFUqK3WK7LTF4vhASDdU5oVhpFk7wMdzg+WazmVsDy7IdHR0wdj37/D4E8J0Wi4U7lNxTAOykaTKZlEpldXU1//YGLGgwGGJjY8EzaVhFwbLcDg8MDJjN5mvXrkmpVoqkUnyMkET8IoCWlhaFQoH8G0O+ecFvGrmuJwEi7/ljg4FL2TwVKiuloLvp7u5uaWn55ZdfsGdHKxw33ByDPHjwYLR08ueff+bl5RkMhoKCApBSUFBQXFy8b9++goKCuXPnOtdniUgPsI/9ZABWMwzD9PT0yGSynp4e13voit1Khy9IU1PT6DYxunB3acB+2pMnT+Am0tDQkJ+fHze/TCYLCwvDVkU4BZk/f35hYeHu3btra2uFyoaFhZWUlOzcuXP//v0Mw4BvnT19+hRajtVqVSqVSIf9/f39/f17e3vBKXK1opISGpUoERY/Pz+5XO7t7c1NJH+/gH9dTwJEJriQkBClUtnf3x/2HPihF1FcKcvHZrPdu3cP/DaZTP/73/+czq/RaFpbW7GlHjx4YLFYPvzww7lz54aFhYl+ylej0chksrt374LD9vZ2eMrIgxklnezduzcmJmb27Nkmk+nIkSMg8ciRIyaTSaPRxMTE8N/rlghBHITFixfv2LHjyJEjX3/9Nfy6LRd/f3+1Wo19mRyrmcHBwezs7MrKyvLycvB1dKRjXl5ed+7cgR1D3itEcFrPDjWEFUS6oToqFIKjV8TTp08vX74MJzh/f//Q0ND6+nqYATw2Jr0DUti/f//ChQvhTU0sYL0LfgcHB6vV6mvXrsGzBoMhOjoadrihoQGeqqurA6fI1YpKSmjUOYmEQIYAAXtdTwZEVzr8YOASl/PYsixx3waJeg2XmZ3SAn1zdxKw+SHcBSwSjF0oCr1Qnzdt2qTT6To7O1tbW6Ojo0X3uBzVCZ/U1FTwWCSWzs7O1NRU+NuhvTIp4mADm2P3goRip2PZt28f+OzgsWPHVq5cyc8gGnUfEUrUbvlqEWpIKCcfiYbqtFBSLJx7EXV1dcFtIv4HF+BbI319fRcvXhR9awQ5JfR+DP/mh0qlwr4fY7PZ2traVqxYsW/fPpi/tLQ0KirKYDCAl2DUajV8CQa+H9Pb21tRUaFWqxsaGqRUS5aU3KioRNiRwhbkD0FHRwcsRb6uJy7iPoYfDFz6hOVo3HKWE/Wav60sGugbuT2IDd7Ob5H9bzB2QhR6bA09PT1JSUkqlSo8PLyoqEjUxzihE6dxwseIioMNbI6dj4Rip/NpampSqVTgDrbNZgsPD79w4QKSRzTqPiKUqN3y1SLUkFBOPhIN1WmhJFo4vIhsNptCoQD+BvulDIfefuee4v9bhe/580uVl5cLveev0Wh2796NfA3s9OnT4eHhXl5eixYtqqqqQjoMTsXGxnJfeRGtliApuVFRiWA2UR/DH4JLly5FR0fzOzOZ8Kx3MIWQeIU7nX+0aG9v538gfeIyycQZA8bM8KQ3lJWVBW4y028QjDvIEIC/U2fPnh3HLo0BnhXbf6JjNBojIyPHuxejxiQTZ2pSXFwMbhR5TvD8KQsyBN7e3hUVFa+++up49WdsoD7GVT755JPQ0NDk5OTbt2/n5ubm5eWNd49cYpKJQ5k+ffrSpUvHuxcUPJPewTA0tr/rrFy5sqysTKvVpqamZmVl7dixY7x75BKTTBwKhTK+vMAKxKamUCgUCsVF6DqGQqFQKO6C+hgKhUKhuAvqYygUCoXiLqiPoVAoFIq7oD6GQqFQKO6C+hgKhUKhuAvqYygUCoXiLqiPoVAoFIq7oD6GQqFQKO6C+hgKhUKhuAvqYygUCoXiLqiPoVAoFIq7oD6GQqFQKO6C+hgKhUKhuAvqYygUCoXiLv4PP2MrTZ+DfDMAAAAASUVORK5CYII=)

Screenshot: livehome3d.com  vulnerability

Mirror: Click here to view the mirror

Coordinated Disclosure Timeline

Vulnerability Reported: 8 May, 2020 00:36 GMT
Vulnerability Verified: 8 May, 2020 00:49 GMT
Website Operator Notified: 8 May, 2020 00:49 GMT
a. Using the ISO 29147 guidelines
β€” β€”
b. Using publicly available security contacts
c. Using Open Bug Bounty notification framework
d. Using security contacts provided by the researcher
Public Report Published
[without any technical details]: 8 May, 2020 00:49 GMT