Open Bug Bounty ID: OBB-1158640
Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:
      a. verified the vulnerability and confirmed its existence;
      b. notified the website operator about its existence.
Affected Website: |
bloo.com.au |
Open Bug Bounty Program: |
Create your bounty program now. It’s open and free. |
Vulnerable Application: |
Custom Code |
Vulnerability Type: |
XSS (Cross Site Scripting) / CWE-79 |
CVSSv3 Score: |
6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] |
Disclosure Standard: |
Coordinated Disclosure based on ISO 29147 guidelines |
Discovered and Reported by: |
Teamhash |
Remediation Guide: |
OWASP XSS Prevention Cheat Sheet |
Export Vulnerability Data: |
Bugzilla Vulnerability Data |
JIRA Vulnerability Data [ Configuration ] |
|
Mantis Vulnerability Data |
|
Splunk Vulnerability Data |
|
XML Vulnerability Data [ XSD ] |
|
Vulnerable URL:
![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAWl0lEQVR4nO2dfUxTV9jAr6VireUbKgIbXw4WQlhHDEODjKjZmGOmY+gUC7KNOCREHXEM0DEGBhE/guiII2qcMYwlxhliGNs6QpAxRSQdI6x2yKDrOoSCfFRWpHLfP86789733ntub2srCOf3V8/pOc9znuee3tN77r3Ps4QkSQKDwWAwGAcgmOsBYDAYDGbBgtcYDAaDwTgKvMZgMBgMxlHgNQaDwWAwjgKvMRgMBoNxFHiNwWAwGIyjmBdrTHBw8K+//ooqLioWm+1zaK99VT9NQ3jqmivf2qyXT0dUG3v5ZLH9AJ8Cc7/G/Pbbb7Ozsy+99BJrcVGx2GyfQ3vtq/ppGsJT11z51ma9fDqi2tjLJ4vtB/h0sLDGDAwMuLi4sH41Pj5+5MgRVJE/9fX1W7ZsoRVRejnGswCArmCaeezYsdDQ0AcPHtjdAxYFOs7nVHuX/IeTk1NwcHBpaenjx4+tkkadgRbHDFSnpaXt27cPVt64cWPp0qXj4+Ow5tVXXz116hT4PDw8vHTp0hs3bnAYQuWNN9748ssvweeRkZG0tDQfHx9/f/+CgoKZmRlQ/+DBg7S0NC8vL39//08++cRiPU3X9PT0jh07WC2l/Y4GBgY8PDyonoE11kL1LdPP1OExv+XQzt2R1SjWvvy7c48BYy9sv44ZGxsrKytDFfnDusbYPKpnGpTtP/300+HDh69du+bh4REYGGgwGOyo1O4C+UO1VyKRmEwmk8lkNBqvXbt2/fp1a6eTVTMQqI6Pj29tbYWVSqXSbDY3NTWB4szMTHt7e0JCAijW1dVJJJLa2lpuQwB3797t7OxMT08HxfT09NnZWZVK1dTU1NzcXFJSAurff//92dnZrq4upVLZ0tICx4+qp+qanp5OTEw0m80cBvL0hh0Beu/fv79r1y4wr+7du7dz506L/xj4dEQZBett686/AcYWSE76+/slEgmfrzhacqDX693d3R89ekQroqTZpuWZgOoKqplardbb27u2tnauBuYgn6PsBbS2tkZERFglkCqEe8xQtUajEQqFExMToH7dunVRUVE5OTlwDO7u7rBXbGzs5cuXfX194XRlGgLJzs4+dOgQ+Gw0GgUCwdjYGBQbFhZGkqTJZBIKhdR6YDKqnmQ47fDhw6yWwmY6nS46OpokSZ1OFxMTAz7QaqyFqhFKYw7vwoULq1evFgqFMpmssbGR1p6m3WJHVqOYfa3qzjEGjB3hdR1z6tSp4OBgLy+vtLQ0sJMwPj4eFBRkNBqXLFny1VdfUYsnT550cXE5duzYypUrPTw8du3a9e+//6Ik19fXv/baa0uXLmUtHj16lFvIw4cPP/zwQx8fn+eee+7zzz+H/1lQ9ZDHjx8XFBSsXLlyxYoVW7duHRkZQXUEV9YnTpwIDg5esWLFu+++OzIy8vHHH/v4+Hh5eb333nsPHz5kDuz27dtr165dvny5j4/P1q1b//77b4JxCU+7VKfZDpienk5OTlYoFDt27IC94JU+HJiHh8fOnTupmzzT09MffPCBi4tLYGDgZ599Bjxw+/bt9evXu7i4+Pv7v/POO7///jttVBb9xtHmn3/+efPNN11cXIKDg0+cOAFM++KLL15//XXY9+DBg7t27eKwFyISicA/dFZDwJiPHDni4+OzatWq8+fP0yYkEMKctzTVL7zwglQqbWtrIwhicnKys7Pz8OHDSqUSNGttbY2Pjwef7927p9Ppdu7cGR0d3dDQQB0q05Dx8fG6urqcnBxQNBgMYrHYzc0NFAMCAoaGhgiCMJlMs7Ozzs7O0OSpqSmOepquwMDAgwcPsnoPNvP3979z5w5BEP7+/rdu3QIfaDUEQXz//fescqiwtoHSmMObnZ2F9QKBgNaeqp1PR1ajmH2t6s4xBowdsbzGGI1GlUrV1tbW3t6u1+vz8/MJgnBzc1Or1WB/Q6FQUItvv/220Whsb2/v6Ojo6Ojo7OysqKhACefYKDMajR3/gRKyd+9evV7f2dnZ2NhYX19fXV3NXQ+pqKhQKpVKpVKj0fj5+fX09HB0BB5obW1VqVR6vf7FF180GAxdXV03b97s7+8vLCxkDqyzs3P37t2Dg4Pd3d0BAQHwdMMB63V6dnZ2R0dHVlYWaxej0djV1QUOjVarpY6kpKRkamqqq6ursbGxpaXl7NmzBEEkJSVlZGRotdrW1ta4uDiRSMTTn3za5OTkODs79/b2KpXKS5cugUq5XN7S0jI5OQltTE5O5rAXMDw8fOjQIblcjjIE2K5Wq7u7uy9evBgXF0ebkARi3jJVJyQkgO2y5uZmmUyWmJio0+nAf4LW1la4UXb58uXU1FSCIBQKBW27jGnIuXPnkpKSVq5cyWodxM3NLTo6urCwcGZmZnJysri4eM2aNRz13E7jHhI3GRkZGzdupJ64qdy+fXvjxo0ZGRn89d6/f7+5ubmurk4kEl25cuXixYvce2V8OlrcKLOtO6scjD3hvszp7+8nCAJuJrS1tYWEhMCvWPfKQBetVgvqr169umbNGvBZq9UGBQXBLkajUSKRjI6OMosoIVSlZrNZIpH09fWBYn19fWxsLEc9FalU2tnZSatk7QhGQt24EAgEU1NT0CGrV6/m9mFvb6+vry+rx+BWDM0VoOXZs2fDwsJSU1OTk5NRfoaHprW1FR4akiS9vb2NRiP4rFKpYmJiRkdHhUKhyWSiDQ8KRPmNp89FIhGsv3r1KjQtNjb2ypUrUA4YANNegiC8vb29vb09PT1FIlFWVhZoyTQEtofdaYYwnUOdtzTVNTU1CQkJJEnu37+/qKiIJMmkpKSLFy+SJOnp6dnR0QGahYWFdXd3kyQ5NTUllUqhZJo0QEhIiEqlgseX47j39PTIZDJnZ2exWEwQxA8//MBRz6qLuVfG2owbo9FYVlbm6em5bds2jUYD6zUazbZt2zw9PcvKyuBRQO1DMvXy3GXl0xFllL18YoPTMDyx7n4M9efBscaIRCJY39PTI5VKwWez2azX6+FXV69e3bBhA2sRJYSqVK/XOzs7wzYajQacylH1kLGxMaFQaDabacayduTwALMI6ezs3LRpk5+fHzhpWjzX0FzR398vFAqlUqlarR4cHJRIJM3NzfAr6GeUtNHRUXjKBgMA3tu+fbtMJsvNzT1+/DhTIMpvNvi8p6cHDqa8vDwjI4MkyTNnzmzbtg1lr1gs1ul0Op1Or9fDQ4MyhPXkxXE/hsPVarVaLBY/evQoMjKypaWFJMmqqiqFQtHV1eXq6gpG0t7eTr0BkJ6eDhYhpjRqDZ81BjA2Nnby5En4VwxVz9TF6grWZnwYHR2Vy+VCoRDWCIVCuVwO/2ChND6hXj4dUW14KrXYzObBYywifJrXTE5OTqtWrYLFuX2izMnJyXHC5XJ5Zmbm2bNnRSKRTqdLTEzkbs+0fXZ29ty5c+Hh4QRB5OXl5ebmorYymJhMJoFA0NHRIRT+7/EFG9Nff/31nTt3uru79Xp9bm7uunXrTp8+bbVtVpKcnBwXF0cQxPXr1+F+C9NegUDg7+/P05AngaY6PDzc3d29oaFBq9XGxsYSBLFp06by8vJ169bFxcWBSXL58uWenh4fHx84Kr1eD24sMQ2pqqrKzc21akhisbiysvLMmTPc9Q7aKAPcu3evqKiopaUFPvNGEERJScnx48ezs7NLSkpCQ0MdoZdnRz4bZU+iAm+UORDuJci26xiCss117do15h80kiTNZrO3tzfcXaEVUULsuFemUqmYQ2LdK7P2OmZoaIj6Z1ClUoE2ExMTAoGAursF6mm2kwzfTk1NBQQEnDt3juR3HUOSpEQiYW4GUlGpVAEBAVQ5T75X1t/fD+qpe2UkSUZGRiqVSnd3d2C7RXupsBpi83UMUzX53+VdUlISrAkICJDJZBUVFaCLr69ve3u77j+0Wq27uzu43mJKIwjC09MTXHUJBAJvb28vLy/W58ogNTU11Osk1npWXUxLUc24ycrKkkgkubm5BoOB9pXBYNi/f79EIsnKyuKQYJtenh1RbXgqtdjM5sFj+GD7GmM0GoVCIdy9hUWwPKSkpOh0uu7ubplMVlxcDCXA+wEtLS2RkZGwnlZECZmYmBAKhWq1GmxiZGZmbtmyRavVdnd3R0dHV1VVge6s9dRbEWVlZTExMV1dXTqdLicnB2ySsHbkv8ZQ5Uul0urq6rGxMY1GI5fLYZuYmJjMzMzBwUGNRhMXFwfqabYz3U6S5IULF3x9fScmJniuMVlZWbGxseCSpaKioqSkpKenJzExsampyWAwaLXazMxMcFalymH1G0+fp6SkyOXy/v7+7u7uqKgo6mCKioqioqLgSZyPvRyGoNpTJyTKOUzVJEmC5wigISRJguut9vZ2kiQbGxuZT1GnpKScPHmSVRpcim7evOnq6go+JyYmKhQKvV4Pjjt8rJkkSbPZHBISUl9fT5NDq2fVxbQU1YwbhUIB/x+w0t/fr1AoYJF5V882vTw7otrwVGqxmc2Dx/DB9jWGJMni4mKxWAz3pkHxxIkTEomkvLxcKpW6u7unp6fDO+RUaQcOHCgsLISiaEXQsqKigikkPz8fKjUajbt37/b29g4ICCguLob7+Mx65t+9vLw8b29vkUgkl8vh3zeLHVFrDPOnvmbNGpFI5Ovrm5ubC7v09vZu2LBBIpFERERUVVWBeprtTGkAmUyWn5/Pc40xmUz79+8PCAgQi8WbN2/u6+t79OhRcXFxWFiYs7OzVCpVKBSDg4M0OSh/8vH54OBgUlKSRCIJCgoqLy+nDkalUhEEAecJT3tRhnC0hxMS5RymapIk1Wo1QRA9PT2wpra2ViKRANPS09Pz8vJoXS5cuBAdHc0qjamUJMmhoaHU1FRPT08/P7/8/HzqSxiXLl1ivYih1aN00SzlHpJdYHW+zXr5dES14anUYrOn4LTFjIU1xgZ4PkwSFhZ28+ZNVHFRsfBsV6vV8EEPkiSNRqNIJIIP7cyhvfZV/TQN4alrrnxrs14+HVFt7OWThfcDnFcsIUnSvjd4BgYGIiMj4SsRmEXIN998U1lZ+csvv4Dit99+W11d/eOPP87tqDAYzNNn7uMu08CxtZ9RSktLz58/Pzw8fOvWrcLCQvje6Pj4OHhq2SppeBo8NR4/fnz06NE//vjDvo1xwg4MYH6tMTi29rNLQkJCdXV1QECAQqHYu3cvjBkD76jxF4WnwdPEyclpdnb2wIEDdmyME3ZgILzWGKuiuwcGBtq8UQafUp+cnNy3b19gYODy5cvDw8OPHj1qVaR3ngO2OR/BfEgx8IQusk0Ih8fWr19/586d6elppVJ56NAhWD89PR0bGxsREfHgwQNaF+4Y7NwjP336dGho6LJly15++eXvvvuOuzFUt4QBDN3/DPHRRx8tX74cBAa0i8C8vDydTkcN3kWgEwewNqaBg6lj/g/u2zWDg4Pp6ekdHR0SiaS3tzc1NZX5erwdiYmJAWEzwIOwarV6aGhIqVQmJCSAB0n5w3y8kgnPxxPs2NGOPLmLbBDCx3BaG6VS6erq2tXVRW3DPa/gNEBRVVUVFBSkVCqHhoZqa2s9PT3h0+cWB2b6/zh0PjsCg8EgEAhUKpXZbOYzyW3DZDIlJCSkpKTYNs9pR9DiAcUsYCw/V4aKlW13YGztqakpamxzx/HsrjF2cZENQqxdYzgSE1iMwc6hws/Pr6mpCRYrKyupb1A+yeDnP0/Hin504gCLoBJ22HuMmGcDy3tlqFjZFrE2YDiMrQ00wvAhNJhh+ZmR3pmp+pi5BpjR4C0OmNnAqsj/rAH/WUPiE4iY9hAOFzG9weo0biGs2lnj53PATEzANAHAGoMdJXZ8fFyv14P4NID4+HgYOZs75QErqPlD8yFrUgPWlqzYlk6CZsLIyAgtiQa3CdbmpIBwJA6wCEfCDj7nBMwCw8KaYW2MbirWBgyHm7YrVqzYvHnz9u3bf/75Z+YvgTUsPy3SO60La64BZjR4jgFzhDfnH/mfNeA/a0h8Ah3THsDtIqY3WJ3GIYRVO9NjPgyoQjgSEzxJDHbwtg11EXJ1dZ2YmKA2QKU84JBJ8xizBpXUgNmS1S3WppNgNcHLy4uaRMOiCdbmpLALHDdjuM8JmIUJn4sd2y6ZrQoYToutPTExkZ+fHxYWJhQKV69eTX2fnBmWnxnpnRnmnTXXAM0u1gFzhzfvtzXyPwj4zxESnzWmPRWUi1jj3rPmMuAQgtJO85iOAWzDmpiAhsUY7LRkEKhefX191DB6BCLlQT8lgwAApLxknT+0Go5gbkxvs7rF2nQSqKwNrIEeUCY8SU4K0qYfPkfCDhJ9TsAsYGx8z5/6Q0XVAHgGDEfF1jaZTG1tbbGxsSDEE2tYfuYvgfbzQ+UaYP0J0QbMHd7cqoiZzID/qJD4qJj2rNBcxDQKlcsAJYRDO8/7MajEBBahTQNaMgiATqejHlCSJHt7e+Gs447iCjMIAGCyIo75A+CT+IAD+6aTYF1juE3gE8uViQ1rDEfCDgjznIBZwNgY2x9EoOKuIawJGI7aIVm2bNnatWtBSo/S0lJQ6biw/MwBWxXenBv+Af+timnP6iIm3E6jCsnOzuapnbY5RhDE8PAw8QSJCWjTgJYMAgB2imZmZuB22cTEhKurKx/5rBkE7A7TLb29vYSD00nMEyw+tcx6TsAsYGx8B9OfAqpmz549MpnM19dXo9EUFBTAvgUFBRqNRiqVymSyPXv2EATx+PHj69evU+ci7fYAeMaUIAg3NzdPT09rXxg2mUx//fUX+KzRaJ5//nnWZqwDZo7WNoaHh/V6/aeffhoaGurv7w/yHEulUoFAMDAwANqA4IwEQaxatUosFo+OjkKXMk+1KBcx4XAaqxA+2gEqBqBeLBa/9dZb4POBAweGhoY4boZDmNMAZY6fnx9IkAxobW2NiIiwKP9JkEqlzs7Of/75Jyiq1eqgoCBUY6ZbUIfAKrHzH9oRZB5Q1DkBs5Bx3CUS/4DhtNjaIKJiTU2NXq8fGxsD35aVlYFvmWH5Le6VEYhcA7T0BNwDpoY3t22vjDXgPyokPmtMez4uYt3fYM1lwCEEpZ3mMZSjUIkJOHqRbCHWjUYjjNZMBb4fYzAY6urqqO/HcO+Vsb4fw2evjEQkNeC/m2THdBLzdq+MO2EHyeOcgFl4OHCN4Q8ztnZDQ0NCQoKrq6tYLI6KiqqpqYFfMcPyW1xjULkGSEZ6Ap7YtsawBvxHhcRnjWnPx0Ws5wVULgOUEA7tFj3GkZgA1QVgVcz/qqqqkJAQZ2dnmUzW0NCA6kJbY5j/sSorK3muMaxJDfifhe2YTmLerjHcCTswixP7x122gfDw8EuXLr3yyiuOEP4MxYG+e/dufHz8/fv353ogcwNzGjxDxw5DMI6gQ3/XmGcFG+/525e7d+/O9RDmBSqVKiQkZK5HMWewTgPWd5Iw8xPaEcS/awwxT9aYxUxpaamfn9+WLVv6+voKCwuLiormekTzCF9f38rKyrkeBQaDsZ35Fdt/EYIKiY8hCGLZsmWL4XlfDGYBMy/ux2AwGAxmQYKvYzAYDAbjKPAag8FgMBhHgdcYDAaDwTgKvMZgMBgMxlHgNQaDwWAwjgKvMRgMBoNxFHiNwWAwGIyjwGsMBoPBYBwFXmMwGAwG4yjwGoPBYDAYR4HXGAwGg8E4CrzGYDAYDMZR4DUGg8FgMI4CrzEYDAaDcRR4jcFgMBiMo/gfiaRqVb59rKEAAAAASUVORK5CYII=)
Mirror: Click here to view the mirror
Coordinated Disclosure Timeline
Vulnerability Reported: |
11 May, 2020 02:46 GMT |
Vulnerability Verified: |
11 May, 2020 08:18 GMT |
Website Operator Notified: |
11 May, 2020 08:18 GMT |
a. Using the ISO 29147 guidelines |
![](/images/done.png) |
— |
— |
b. Using publicly available security contacts |
![](/images/done.png) |
c. Using Open Bug Bounty notification framework |
![](/images/done.png) |
d. Using security contacts provided by the researcher |
![](/images/done.png) |
Public Report Published |
|
[without any technical details]: |
11 May, 2020 08:18 GMT |