Open Bug Bounty ID: OBB-1158770
Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:
      a. verified the vulnerability and confirmed its existence;
      b. notified the website operator about its existence.
Affected Website: |
cart.meitu.com |
Open Bug Bounty Program: |
Create your bounty program now. It’s open and free. |
Vulnerable Application: |
Custom Code |
Vulnerability Type: |
XSS (Cross Site Scripting) / CWE-79 |
CVSSv3 Score: |
6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] |
Disclosure Standard: |
Coordinated Disclosure based on ISO 29147 guidelines |
Discovered and Reported by: |
jub0bs |
Remediation Guide: |
OWASP XSS Prevention Cheat Sheet |
Export Vulnerability Data: |
Bugzilla Vulnerability Data |
JIRA Vulnerability Data [ Configuration ] |
|
Mantis Vulnerability Data |
|
Splunk Vulnerability Data |
|
XML Vulnerability Data [ XSD ] |
|
Vulnerable URL:
![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAARMElEQVR4nO2df0wT5//AT0BWoOVHoVWhRiALEmNwWxjBDJ3RRA0jpEOEzbGJkzAkwAhxDnVzDDN0KGYzGzOLJm5ZNrMQQggxzLD9URlxylitldWCrtbyQ6xo9cQKlfv88eR7ue/dPU+vpZUi79df91zveT/vX+Xde659s4BhGAoAAAAA/EDQbCsAAAAAPLdAjQEAAAD8BdQYAAAAwF9AjQEAAAD8BdQYAAAAwF9AjQEAAAD8ReDWmKSkpMuXL+OGgER86LdAC0Gg6QMEGpAhgUCA1pgrV65MT0+vWrVKdAhIxId+C7QQBJo+QKABGRIguKkxN2/eVCgUoi85HI5Dhw7hhjOkvb09NzcXN/Qa3yrJwvWSn5bwDu/8Jhp0JIqQDzOU7ylk0yRGwVfB8olFUrh3796OHTtUKlVCQsLHH388NTXl0XSunrhjr3lmTpCID5MfmBEMEYvFIpfLpbxEuNILMjIyzp07hxt6jW+V5OJ0Ov29hBd47TfWHJ4oX1knlO8pZNMk6unDYM3cIink5uZu27bNZrOZTKasrKza2lqPpnPtxR17TUBlPuNt8geaFc8BgbhXNjIyYjab161bJzoMTF544YXZVoHPTPzGM8fnIZihuwIwJZ5BAjx+/Livr+/7779PSEhYvnz5sWPHWlpa/L3oHCUAM2TeIqnGfP3110lJSbGxse+++67D4aAoyuFwJCYm0jS9YMGCH374gTs8duyYQqE4cuTIokWLYmJitm/f/vjxYyTn0qVLa9asUSgUCQkJW7Zs+ffff0WXa29v37hx48KFC4XDp0+f7t27d9GiRREREVu3br179y4refXq1WFhYSqVauvWrUNDQ+ie99ChQyqVasmSJadOneLpzF0RXdzU1JSUlBQREVFYWHj37t2PPvpIpVLFxsbu2LHj0aNH6MonT57s3LlToVAsW7bss88+e/r0KcW5v+YtwbvvvnnzZkxMjNBenFGPHj364IMPVCrV0qVLP//886dPn0rXU+hGnIuEkRJuF/BEffnll+QprKXffvvtpk2b2PP79+/fvn07ezHXnJiYmHfeeQdlF2JkZOSNN95QKBRJSUlNTU1c13H1ESaVMNBC23nBQkmLi5TbvOWaL3qxMJQE83FxCQsLu3XrVkREBFpocHAwPj4elz+iJpMRhpUgB5e0iKtXr8bGxp4/f97toiy//fYbzoGFhYVffPEFe+Xq1atRWCVmiEfO5yE6F/AI9zWGpmm9Xt/T03Px4sXh4eHa2lqKoqKiokwmk1wudzqdRUVF3OGbb75J0/TFixd7e3t7e3v7+voaGxuRqJycnOLiYqvV2t3dnZWVJZPJRFckPIxpbGzs6urq6uoym83x8fH9/f3ofF9fX2lp6ejoqNFo1Gg0FRUVSHOTyWQ0Gk+fPp2VlcXTWdTM7u5uvV4/PDycmppqt9sNBsOFCxcsFsu+ffvQZfX19RMTEwaDobOzU6fTnThxgiuEvAQOnFFVVVXDw8N9fX2dnZ3t7e3Nzc3S9RS6Eeci0UgRIkLTdO//QZiC0Gq1Op3u4cOHrJy8vDzuBTRNGwwGlF1Wq5Wrf0VFRWho6ODgYFdX148//ojTR5hUwiiI2s5LWoIVEvOWcLFoKAnmu43LtWvXdu/effToUQqTP6ImE8CFFScHl7QURTkcjry8vMOHD69ZswadUQngLn3p0qUNGzYUFxfjHFhQUNDW1oZeHRkZ0ev1Wq2WkpwhnjqfC24u4AHkrTSLxUJR1IMHD9Cwp6cnOTmZfUn0eQyaYrVa0fnW1tb09HSGYcbHx0NCQkS3ra1Wa2JiIjqmaVoul4+Pj4sO1Wp1X18fWefBwcHFixcjNdiJojrzzLx//z4adnd3BwUFTUxMsFa/+OKL6DguLo6maXSs1+szMjIYydvcFoslOjpauLqoUS6XSy6X37hxAw3b29szMzOl68nzG8FFwkjx1OaKkjiFa2lmZmZLSwt7jdPp5KUKm13d3d1sdrlcLplMxprf2trKCuTqg0sqwq46sp13GUF/Qt4KlxO9WDSUBPNxTmax2WzJyclnzpxBQ7dvCtZkQqKSV+TJEV2UFZidnV1eXs5TmAc6bzabCwoKlEplQ0MDeluJOnBiYiIyMhKp19zcnJuby0jOEC+cz7oFNxfwiBC3RUgul7P7APHx8ePj426nyGSypUuXouPU1FSr1UpRVExMTH5+fmZm5vr16+Pj49PT019//XVWbE9PDzo+d+5cRkYGe9vLHTocjvHx8bS0NOGK//zzz549e/r7+ycnJ6enp6enp5HmontTODOjoqLQsUajiYyMDAsLY9Wz2+0URd27d89utycmJqLz09PTISHuHUgGZ9TY2Njk5GRSUhIapqamoneFFD0pgRspjItEI8WDJ0rKFC5arbajo2PLli0dHR3Z2dm85xbc7NJoNGx2jY2NTU9Pc80X1YeQVFxEbZeIxCUIF+NCSTCf7OT8/Pzq6urCwkIKnz+emoxbUVQO4Z24f//+zs7OkydPck8mJCSILrpixYqcnJwbN26wKS3qwLCwsOzs7La2tsrKytbWVnTHIzFDvHA+C2EuIJ1n+sz/l19+OXnyZFpa2uTkZE1NTWVlJTofHBy8ZMkSdOz2W8vBwcFCyVqtdu3atTqdTq/Xnz171k/6O53OoKCg3t5evV6v1+sNBoNer/eJZFGjZoLQb167aIZfHM/Ly0PLdXR08DbKvIOnDy6puMwwPaQs4d3FXjAyMmIwGHhihfnjq3cEQY5w0YmJidbW1jNnztTW1nIfb+D2yurr63U6XXl5+fXr19mLRR2Itsvu3bt38eJFt9noq586AL6BfJtD2EOQuFfW1tYmet+t1+s1Gg3vpMvliouLY29OeUOGYdRqtV6v580aGxsLCQnhSo6OjhbdLSHslRE2tbhDuVwu3JfAbUE8ePAgKCiIez+O2ysTGoXbK5Oip9BvOBeJRoq3XcAVhZtCtnTlypVdXV3R0dHoAik7VGgnxGKxoCG7EyI0jQubVFzJorazK6LLJEaKweQtLq/QxYTtGlHzye8gl8vFM1+YPziTJe6VsSsSXCdc1GKxhISE9Pf3MwyTk5NTUVHBvoTbK2MYxm63V1dXy+XysrIynAMZhnE6nUql8quvvsrLy2P9ICVDvHA+7JX5Fu9rDE3TISEhZrOZN0T5mp+fb7PZjEbjSy+9VFdXxzBMf3//5s2b//jjD7vdbrVaS0pKcnJyWMloB1an061cuZI9yRsyDNPQ0JCRkWEwGGw2W0VFhU6nQ+fVanVzc/P9+/fNZrNWq8XVGJ7OuB+1EGpMWVlZZmam0WgcHh5ubGysr6/nTectkZGRUVJSMjo6ajabs7KyWDncHWecUSUlJbm5uVar1Wg0vvLKK8ePH5eop9BvOBeJRoq7Ck8UbgrBUoZhDhw4kJaWxoZbSo1hGCY/P1+r1VosFqPRmJaWJmoaLql4URDaLgwWTn/cEtwIsobgLhaGkmA+wckI3uMK0fwRNfnBgwchISEmk8nlcnGPCSviXCdclGuOyWSSyWQGg4GRhsViKSoqIjiQYZht27ZFRkb++uuvHmWIp87nugU3F/AI72sMwzB1dXXh4eGnT5/mDpuamuRy+eHDh9VqdXR09HvvvYceSk9OTtbV1aWkpISGhqrV6qKiotHRUd4qu3fv3rdvHyufN2QYxuVy7dmzJy4uTiaTabVau92Ozut0uvT0dJlMtnjx4pqaGlyN4eos/eE8d+h0OqurqzUaTXh4eHZ2NvqMw5vOdcvg4OD69evlcvmKFSuOHz8u/KxEMIqm6dLS0ri4OI1GU1dXh/4WSNFT6DeCi4SR4q7CE4Veamxs5E3BWYpAO4psnkisMaOjozk5OXK5PDEx8fDhw6KmEZKKGwWh7cJg4fQXXQJ3E4/TRxhKgvm4uIh6icHkD87k2tpa1i3sMSGsODnCRXnmVFVVrV27lvEQQkDb2trkcjnXFVIyxFPn81wkOhfwCDc1xgsIX+lxS0pKyoULF3BDQCIS/SYlUj4JAU3TMpkM9yU3KZhMJrVa7St9fM5Mct7f0uYJAZ4h85mZfi3Kt1y7do0wBCTiQ7/5RNS5c+eysrKkf8dPiF6vT05O9pU+wPMHZEjAEoi9ZDzi8uXLu3btmm0t5gVTU1Nvv/327du3PZrlcDi++eabgoICT5c7ePDgqVOn7ty589dff+3bt6+srMxTCc+Gqampnp4ejUYz24rMO+ZKhsxz5nyNKS4uZn+wAviVhQsXhoaG7t6926NZ7Ba/p8utW7euublZo9EUFRVVVVVt377dUwnPhtLS0oqKioaGhtlWZN4xVzJkvjPz7Tbcz9fdzvJu0/n+/fsNDQ3o2G63BwUFif4G2zutZgWuRTj8bY7EcPT19bG/9AYAAHDL3LuPQX+R0TFN0+Hh4QHY89gjuBbNFsuWLWN7BBBQKpU0TT8DfQAAeD6YezUG8BNzvVQDABCAuK8xos29h4aGNm3apFAoli9f/vPPP3snhAuhZ77E/vwErXANuoX9yXE96j1qqi+0hdBInGCRR+ZI11A0FhL77XNhm7EDAADgcF9jRJt7V1RUREZG9vf3nz17lvvnD9eYyG2ncVzPfI/68+O0wjXoJvQnFyK9qb6oLbhG4gSLPDVHooZuYyGl5zlFUcXFxRs2bPj7778JTgMAYL7j0dMb1NwbdQridgJnH0cTGhPxhPAeMuN65lPE/vy85kKiWhGaDhH6k7NDbnsPKU31RW3BNRIXXdQ7czzSkEXY9V26qjRNNzQ0KJXKgoICtmsLAAAAF/e/wRQ29x4bG6MoitsJnL0Y18Sb3Gmc0DNfen9+nFa4Bt2E/uSiSGyqj7PFbSPxGZojXUO3Xd8lqhoREbF3796ysrL3339/xYoVU1NTZIsAAJiHuK8xWq22pKTkxIkTMpnMZrNt3ryZcDHvP9xRFHXnzh23Qtie+WxpCQp6Rl9G8HlTfVFbJicnfbvKTPAooGSuX79+4MABnU5XX1/vQw0BAHhucFNj7ty5Mzw8/Omnn6Ih+iysVqspirp16xb6lG02m9nrRf+fiqgQLkuWLAkPDx8fH3/55Ze9tAOvlVqtDg0N/e+//9Bnf5PJhG4yoqKilErl5cuXV61axQpRKpUTExMPHz5EH+RtNpunaojacvPmTX+bIxG3sZDOrl27fvrpp9LSUrPZHBsb67UcAACeY9zcLqhUKqVS+d133zkcjoGBgbq6OoqigoODN2/eXFNTMzQ0dPXqVXQSkSAAJ0SpVDqdzmvXrqGvRRUVFZWXl1+9enVkZOTIkSMHDx7EqRQXF+d0OgcGBiiKCgoKcrlc6DxOq+Dg4Lfeequ6uvrWrVvo/LZt29BL1dXVpaWlV65cGRoaqqysPH/+vEKhSE9Pr6mpuX379sDAQG1trRc+lW6L0KInT554bY4URGMhHZfLxd6f0TRtNBqbmpqgwAAAgMXtExvR5t42m23jxo1yuTwlJeXo0aNuf4IuKoTbQ1tKz3wWth+70+mUyWTsA2ecVrgG3aJN0aV04yc0/xe1hTyd+f//FoE96ZE50jUUjYXEfvstLS1paWnCiAAAAIiygGGY2S5zM+LDDz80Go2///77bCvy/PPkyZPU1NRPPvlk586ds60LAABzgzlfY6ampvR6/auvvjrbiswL/vzzz9dee222tQAAYM4w52sMAAAAELBAvzIAAADAX0CNAQAAAPwF1BgAAADAX0CNAQAAAPwF1BgAAADAX0CNAQAAAPwF1BgAAADAX0CNAQAAAPwF1BgAAADAX0CNAQAAAPwF1BgAAADAX0CNAQAAAPwF1BgAAADAX0CNAQAAAPwF1BgAAADAX0CNAQAAAPwF1BgAAADAX/wPXMI8lDTQwaMAAAAASUVORK5CYII=)
Screenshot: ![cart.meitu.com vulnerability](/twimages/screen-1158770.jpg)
Mirror: Click here to view the mirror
Coordinated Disclosure Timeline
Vulnerability Reported: |
11 May, 2020 08:04 GMT |
Vulnerability Verified: |
11 May, 2020 08:12 GMT |
Website Operator Notified: |
11 May, 2020 08:12 GMT |
a. Using the ISO 29147 guidelines |
![](/images/done.png) |
— |
— |
b. Using publicly available security contacts |
![](/images/done.png) |
c. Using Open Bug Bounty notification framework |
![](/images/done.png) |
d. Using security contacts provided by the researcher |
![](/images/done.png) |
Public Report Published |
|
[without any technical details]: |
11 May, 2020 08:12 GMT |