Lucene search

K
openbugbountyDeadb1tOBB:1159190
HistoryMay 11, 2020 - 8:17 p.m.

techdata.com.my Cross Site Scripting vulnerability

2020-05-1120:17:00
deadb1t
www.openbugbounty.org
5

Open Bug Bounty ID: OBB-1159190

Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:

&nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence;
&nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence.

Affected Website: techdata.com.my
Open Bug Bounty Program: Create your bounty program now. It’s open and free.
Vulnerable Application: Custom Code
Vulnerability Type: XSS (Cross Site Scripting) / CWE-79
CVSSv3 Score: 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N]
Disclosure Standard: Coordinated Disclosure based on ISO 29147 guidelines
Discovered and Reported by: deadb1t
Remediation Guide: OWASP XSS Prevention Cheat Sheet
Export Vulnerability Data: Bugzilla Vulnerability Data
JIRA Vulnerability Data [ Configuration ]
Mantis Vulnerability Data
Splunk Vulnerability Data
XML Vulnerability Data [ XSD ]

Vulnerable URL:

![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAABLCAIAAAAphcDFAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAZ0ElEQVR4nO2df0wUZ/rAx3WFYRl+uN3dItBzwRZpaygSS9GjhKtNawgxW6re6XEttYRyhHiE0B71DMdxhhpKiWJLibFmNdb6BzXWGI/zONtuCccpUqQbSimlyK0rp4jAbemKq/P9473vm+nM+747u7Kwcs/nr52Z98fzPu8z8+y8877Pu0gURQ4AAAAAAoBmvgUAAAAAFizgYwAAAIBAAT4GAAAACBTgYwAAAIBAAT4GAAAACBTgYwAAAIBAEbw+JiEh4dKlS7RD4P4FuhIINi5duvTb3/52vqVYmASpj/nqq6/u3r37xBNPEA+B+xfoSiAIKSgoMJvN8y3FwsSLj7l8+XJERATx0uTk5FtvvUU7vEdOnTq1ceNG2uHc4HeLGEqTJVu6dGmAZAhaUFeqVJEUNeryAz8k4Tju5s2br7zyitFojIuL+/3vf3/79u1ZF0w9apqA0wRIjWqqZhPo241R440bN3p7e8vKyogF7t+/f8WKFaGhoatXr/7LX/4iq3rR/7N48eKEhIQ///nPd+7ckV3C7Nu3D11avHjxF198IStqjvtl7hCZDA8PC4Kg5hIjpR+kp6efPXuWdjg3+N0ilRmHh4ejo6MDJEPQgrvS7Xb7lFGNuvzAPw1v3Lhx27ZtDoejv78/MzOzsrJy1gXzCa/KxM0MkBrZqOnrQN9ujIyMR1ljY6PZbG5ra7t27dqxY8f0er3NZpOldLvdbrd7enq6p6cnPT29pqZGdgnj8XjQJY7jEhMTXS6XtKi575e5IRjHyq5evTowMJCdnU08BO5fpF0ZGho63+L4yY8//tjd3X3gwIG4uLiVK1c2NDS0tLTMr0helanVapOSkqQ/5pL7q6+lKtqzZ8+hQ4fWr19vNBq3bt1aVVVVV1cnSx8aGhoaGhoWFvbEE080NDQcP35cdgmzePFidF6n00VHR1dUVMxNi+YXVT5m3759CQkJDzzwwG9+85vJyUmO4yYnJ81ms8vlWrRo0eHDh6WHDQ0NERERb7/99oMPPrh06dKXX375xx9/ROVcuHDh6aefjoiIiIuLe/HFF7/++mtidadOnXruueeWLFkiO3zhhRfefvttdPLSpUuhoaFIGI7jXnvttddff52d4JFHHmFnl8ogayDHcbdu3Xr11VcjIiKWL1/+xz/+Eb0R37lz580333zwwQfDw8M3b95848YNhtI4jrty5crzzz8fERGxcuXKY8eO4cQXLlxYu3ZtWFiY0WjcvHnzlStXlDIQ08ggyvPDDz+89tprRqPxoYce+tOf/oTf5SMiIt55552EhITw8PBf/vKXN27ceP31141G4wMPPPDKK6/88MMPssJVZnnvvfeef/55nOsPf/jDyy+/LOtK6dANLnPp0qW//vWvsa4Y6lL2xffffx8eHv7ll19yHHfjxo2lS5d++umnSuGJZknrLFqWsLCwf/3rX+Hh4SjZ4OBgbGysH/r0VbE0O1GjzLi4uIsXL6If//znP9HJv/71rzSRlAmIN6/S3pAMb731ltFoXLZs2QcffCAdeqKpVHm7EWVTcwsQ71OlVNIaP/74Y2kJWFeTk5NOpzMzMxNfysrK6uvrY2iM53mPx8PWKsdxGo3myJEjVqv1b3/7m9fE9zvefYzL5erp6eno6Dh//rzT6aysrOQ4Lioqqr+/H70M5ufnSw9feOEFl8t1/vz5rq6urq6u7u5u7Plzc3MLCgpGRkba29szMzN5nifWSPsYk5ub29bWhk6ePn367t27ra2t6LCtrS0nJ4edwGKxsLNLZZA1kOO4mpqa6enp3t7e1tZWm83W3NzMcVxdXV1bW1tbW9vAwEBsbCy2P6LSOI4rLS2NjIzs6+s7c+aM9KHZ3d1dVFQ0Ojpqt9vj4+NLS0uVMhDTyCDKs2PHDqfT2d3d3draeurUqaamJqmQ7e3tPT09TqczOTl5bGyst7e3s7NzeHh4586dNGNgZ7FYLDab7T//+Q/uvry8PGLP4jJ7e3uRrkZGRqT10tSl7IuEhISdO3eiIfWqqqqcnJxf/OIXyoqIZknrLEYWzDfffFNRUVFfX69en0YF6vN6tQGGMpUUFBSsX78ePU9lXLhwYf369QUFBfgM8eYl2pvL5erv77fb7VarVfqAZqhUebsRZVNzCxDvU6VUskcWUT8ul4vnefxnl+O4yMjIqakpmj6vX7++a9cui8VCSyDl8ccfr66u3r59u/RP1cKEPZSGhg6npqbQYUdHR2JiIr5EHMREWUZGRtD5EydOrFmzRhTF8fFxrVZLHJkdGRkxm83ot8vlEgRhfHxceeh0OnU6HSohPT29vLx827ZtqMbIyMiZmRl2gpGREXZ2ZdulDTQYDHj8FA28iqJoMpm6u7tVKs3j8fA8L9UMcQR2cHAwJiaGKAMxjRSlPB6PRxCEoaEhdHjq1KmMjAws5MTEBDrf3t6u0Wimp6exzA8//DCxXWqyZGRktLS0iJJRafGnXSmzFqyr9vZ2bGAMdRH7YmZmJjk5ubq62mAwjI6OEoVXmiXbwolZMA6HIzEx8fjx4z4px6HAj74QJTagRplEXC5XbW2tXq/fsmXLwMAAOjkwMLBlyxa9Xl9bW4uVTLt5lfaGZMD3r/hTG2aoVGbqRNnYzUcQbUMplUxvxLtMeX5oaEh6z6JiDQaDwWDQ6/U8zxcXFyMtSS8hSktLZcV6PJ6MjIyXXnpJXNDfY3z75i9VBMPH8DyPz/f19ZlMJvT7V7/6VWpqanl5eX19/WeffYbTeDwep9OJfp84ceKZZ57Bl2SHqamp586dGx0djY+Pn5iYMJlMHo/n4MGDeXl5ahJ4zU5r+/j4uNRi9Hq9yWSamJjQarXoO54apTmdTplmsDK7u7ufffbZ2NhYVDhRybQ0GKI8TqczJCQEHw4MDBDvTJmJEy1efZY9e/YUFBSIovjuu+9u2bIFnZR2JeNzKy6Epi5iX6A06D21sbFRVEAzS7aF0ywZkZGRgevyQ5/SqyrzEm1AjTIZjI+PWywWrVaLDrVarcViwQ4Po7x5ifamfC7LfAxNpcQHvUw2dvNFum0QC/fqYxwOh1RaURQHBwcNBoO0BJ1Oh/4oOJ1OqSqklxDYw0mrGxgY0Ol0J0+eXMA+RhvIdyQ5H3300cWLF+12u9PpLC8vX7du3f79+zmOW7x48bJly1Aa9qzlnJyctra2oaGh3NzcqKio1NRUm80mHeliJ/CanYbb7dZoNF1dXVrtfzWm0fx3mBF/x7sXLBZLYWFhc3Mzz/MOh2PDhg3+pZktee6RvLw8NEhy+vRpPN4yWxPQGX0xOjqq0WhGR0fvvRavXL16tbe39x//+IevGdHgmJSuri6VeVXagHq+++67qqoqm81WU1ODztTU1NTX15eUlNTU1KxYsQKnVN68u3fv5gJpb0rZvDafYRt+gF7Bb9++jYfLpqamIiMjpWk0Gk1cXBwxO+MS5pFHHqmtrS0qKjpz5ozfcgY7bBfk33sMJ3kdPnnypGyEAdHT0xMfHy876fF4DAYDHtiRHYqi2NHRkZ6evnHjxjNnzoii2NTUtGPHjpiYGPwaxE7gNTuj7YIgKIfFTCZTT0+PSqXJBn9OnjyJzl+7dg3/U0OaUSqZkYYtD2OsLHDvMaIorlq1qq2tLTo6Gg3dyLpSzV9vmrpESl9MTEzExMQcP35cr9f39fUphSeaJdvCGZbs8XiklqleOcSxMjV5aTbg93tMcXGxIAjl5eVjY2PS82NjY2VlZYIgFBcXEzPim1dpb17fY2gqlWVUyua1+Qiibfj3HiOKYmxs7Llz5/BhY2Njbm4uu1g/LmVnZ2dkZCzU9xj/fYzL5dJqtXioFB8iM9q0aZPD4bDb7ampqdXV1aIo9vX1bdiw4dy5c2NjYyMjI4WFhdLeQoOYNptt1apV+KTsEGEymUwmE0rvcDgiIyNTU1PVJ2BflY44yxpYXFyckZGB/sfV1dWhWfC1tbXp6em9vb0Oh6O0tBTNnWcozWKxSDWDz5tMpqampomJiYGBAYvFQlQyLY1UZqI8hYWFGzduHBkZsdvtaWlpaHhH/TMRl++Tj6mqqkpJScFdLOtKlY9FmrqIfVFSUoLG5Xbv3p2dna0UnmiWXn2MMgtGqvm5GSsj2oDfPiY/P394eJghVX5+PvpNu3mV9qbGxxBVKrvdiLIRmz81NaXVavv7+9FQFdE2iE98XOPIyIhsTAyD18eMjY2hvy/K9TE07THWxyg/8wiCAD7mv4dSRVRXV+t0OqvVKj185513BEHYs2ePyWSKjo5+6aWX0NfLmZmZ6urqpKSkkJAQk8mUn5+PP8ziWioqKnbu3InLlx0itm3btmnTJny4Zs0aWRp2AsZVZd9LG+h2u8vKyuLj43U6XU5ODvoP6/F43njjDYPBwPO8xWJB/7kYSnM4HM8995wgCElJSfX19fi8zWZbs2YNz/MxMTHl5eVEJRPTyOoiyuNyuYqKigwGQ3x8fHV1NdHQac812QNC/WO0p6eH4zhsG7KuVPlYpKlL2RddXV2CIKA/yG6322w2HzlyRCm80iy9vqkrs9CaPwc+hm0D/n2PUQPt5lXam1cfw1Cp7HmihHabVFZWsu9TmjNANR48eJDneeLMAlEUGxsbExMTQ0JCUlNT0fgHsWkykDeVsXfvXlqu5ubm/1Ef4wcMvXslKSmps7OTdgjcR6B5n/g757x3pR9meS+WDBAJWpXu2LFDOrcImEXm9Ju/V7755hvGIXAfcfbs2czMTByCCboSCGbq6+vRmzcw6wRjLJkg5Pbt21u3bv33v/+tJjHErp+cnESzludbEABQxZIlS5588sn5lmJhAj5GFUuWLAkJCVETXwhi13Mch0fb51sQAADmGe8+Rhak+qGHHnrzzTdRMHNlVO3Lly+npqbiOCL79+9HIZieeuqpv//97yqLxXmJIbWJleIxGa9xs5UBtxctWhQRESENnvbhhx+uXLny+++/l1ZUVlaGQ9EwmJVVILMbDv3zzz9fvXp1eHj42rVrv/rqq3uUTQZR1Fu3bn388cdBFQlx+fLl2Cw5daHUZVkwQbvhwqzsFqEML+a1XoaB+Rp4379A/bdu3dq6dasso39SyXR4+PDhRx99NCws7NFHH0WL+dSzkMP1+4TXLzbSSXjT09N2u33dunW7du0SSV/wpFNZ0HwMNN+xpaXFYDC0t7erKVZkhtRmVzrsLW42qrG/vz86OhrPKSwrK0MRHRApKSlWq1U5S0fN58rZ2oZgFsOhx8TEnDx5cnx8vLq6mrhW6V4I2q+4bO5lzlXQNllNo9QIT5utToNhYMoS2Ibth27dbnd2dvamTZtkGdlmTxNDqsMDBw7Ex8efPn16bGzss88+e/jhh9FMaJXM4ry++xq1PkZ6pqOjIzk5mXhJqlbZ8qXm5mb28iVcrDLv3r17cV6vPkan06WlpUmXjyk7W3bG6XQKgoDm4585cyYxMdHj8TgcjrS0NIbASpxOZ3R0tDL0WYBQeUMaDAaHwyGK4unTp1NSUuZFhmADfIzKAu/RwHzVlX/T/3bv3q3M6J/ZS3UYHx8v/b/Y3d2t0+mkf17VF/W/jD8+pqurC8XaYzzuJyYmOI6TPm1nZmaki6oYxSrzdnd302JxigofIwiC3W7neR7bh1cfI4piaWlpSUmJKIpZWVkHDhxQowdEa2sr/t3c3IzDc50/fz4zM1MQhNjY2Ly8PLzy3OPxVFZWmkwmnU63adMmvKSgtrbWYDDExMQcPHhQuaSgrq5OtqQAaQmBVgZIJZGClkOWlJSkpKTY7XbZVaU8xEJojULi7d2712w26/X6/Px8HOqKuC7HYrHU1dWhBD09PSEhITh9UVFRRUUFsV6aEpSqY1QtXW1TW1tLXGAkMwylcpRqZwhcX19vNpt1Ot2WLVvGxsYqKipQEK2CggL8qGKsXpK1y+12b9++XRCEn/3sZ1VVVYxG0RIrhT9//nxGRgbP8waDAS2NZKyIopk0w8BogwFS/URHR2/btg2ZgTS93W6XrXlkoLw91UtF1KHyKYQ0gDqO2Gu+dgcNZafgknU6XWJiYkNDAy6ZmDio8Pmb/82bN6uqqgoLC9nJlGGxlyxZsnz5cjXF+hpSW4kfcbMrKyuPHTv2ySefDA8PS0OaM1DGP5d+jKFtZDDH4dA5jhMEYWhoyGq1tra2Pv7447KrRHmI8edpjaLFxifuKeB1gwaathmR+ZWqI1ZN2ymAgVI5SrUzBFYTrp+x84KsXcSo9eq3P+BINqMmWj6GZtJsA2Poh7ENweTkZF5e3p49e55++ml0hmaTNNRLRdSh8inEcdyTTz6J9g2i9ZpP3UFrEbFTUMn9/f1nz561Wq24ZJ96cH7w6oWGfxq/WqPRbNiwAV+ivVJIL6G/bwaDQRpp3KdipSG11bzHiN7iZhNfY4uLi3meb2pqoukB10uMfy6NXc/YyGCOw6EfPHgwJSVldHQ0OzsbaXhwcFAaP5i4PYEyphatUcP0jQwEUpw0rxs00JRPVIJSdbSqaTsFsN9jaHs3eB3PGVYXrp+984KsXcqo9b5uf8AWHkXLp73H0EyabWCM9xiOtA0BTpCTk4PGFTBEm1SW7KtUKg1DCq3XfO0OdosQqFP82BYkeFDlY6RBqm02W1paGi0oAr5FpWGxJyYmHA5HZ2enLEIGrVh2SG2VPkZkxs0m+pje3l6e5xkfA3HJxPjnsm0IiBsZzH04dPyUdDqdBoOhtra2s7MTh2ijbU9AQ9ko2jOatqeA6OMOC2wlEDVArJq2UwDDx6jcu4EmsJrwMCp3XhApUev92P5AVrIyWj5jrIxo0mwDY4+VKRWCzu/cuVOj0Rw6dIitZIbC1UtF06HyKYSh9Zof3UFE2Sl+bAsSPKha5y8NUh0XF9fY2Lh9+/bf/e536A/pnTt3cHxvl8ul0+m4n4bFjoqKioqKunbtGrrktViBGVKbUakMX+NmR0ZGarVaNTNuifHPZbOWaRsZcHMYDv369evj4+OrV6/mOG7ZsmVWq9VisXR1dcmG45TyKAcirl+/TmyUH3uS+73DwrwQDHslcD5GrVef2KfNApS9X1VVpcbAfGJ6evrEiRPHjx8vLS3Ny8uLiopC52k2qUSl2bNRPoU4jrt48WJycrJv7aF3B61FPnXKrG/3MPt49ULKv1SdnZ141MtkMklnJDc1NeEhr9jYWOlGZPX19fiS12LZIbUZlSqLJcbNJr7HsP+fyq7K4p8rtyGQIt3IYC7DoaNXbGmwv6KiIo7jpJ9AidsTqHmLR42i/SGljSeIPu6wwFYCscvUjJXhnQKmpqY0Go100EY2VuZ17waawGreY1TuvIAQFFHrfd3+QFYyMVo+4z1GCup9rwbmx3uMVqtFswlyc3Px3pGiL2NlPknF0GF8fHxbWxsuxG63o3llKsfKvHYHsUXETvFjW5Dgwbf1MW63u6+vLysrCw+Vvvvuu0lJSTabDS2C0ev1+OmP18dcu3bt6NGjer2+o6NDZbHskNqMSonfcgRF3Gw/fMzg4CAxC4p/Lotdz9jIYI7DoZeUlKxbt85ut4+NjVmtVjRPCa9DIspD0wCxUYyHKXFPAYTXDRqUeiYqgdZlxKppOwWkp6cXFhaOjo4ODAxkZmZKe5moHJnaaQKr8TE0UYntIkat92n7A6Xwymj50qqlYfNpJs02MFngfZVjZehkf38/z/O9vb0MPdMUzpZKlpimQ+n6GJvN9thjj+3evZvRa350BxHiFga+bgsSPKj95o8xmUxFRUX4f58oig0NDWazOSQkZNWqVSdOnJDmRa4iJCQkLS1N+l6iplhGSG1GpcSbUxk32w8f09LSwphlL4tdz9jIYI7Dobvd7srKSrPZzPN8Wlra0aNHh4aGdDod9iXE7QCIEBvFeJjS5neKKjZokEFTAq3LvM5dlu4UMDg4+MwzzwiC8NhjjzU2NsrmLhOV41Xt6n2Mmp0XEMSo9bRGERMrhVdGy5dVjcPm00zaq4FJA+/75GNEUdyxY0dWVhZNyQyFs6WSJabpUBRFq9WanJzM83xSUpL0T5Kaucsqu0MJcQsDh2TussptQYKERaIoBnw87v7n1q1bycnJu3btevXVV4kJVq5ceeTIkaeeemrWq758+fKqVauIQU3+dwAlAAAGhey6efPmfAuiiuCK7R+0hIaGHj169Oc//zktAcSuBwAAUAI+Ri0MBwPMFrSFdZ9//vkcS6ISmsBDQ0N+xHYEgIUH+BggiKDtE+XxeOZYEpXQBAYHAwAI+B4DAAAABArYowwAAAAIFOBjAAAAgEDh3cdcuHBh7dq1YWFhRqNx8+bNV65cmQOxAAAAgAWAdx9zH8SOBgAAAIIS3775f/fdd5mZmVevXg2cQAAAAMCCwfvc5S+//PKNN97o6+ubmZm5e/fu3bt350AsAAAAYAHgfazMYrFkZWXZbLaenh6VQfIBAAAAgPM6Vnb9+vXY2Njbt2+jw0uXLmVnZ98vcXIAAACA+cXLe4zRaNTr9e+///7k5OS3335bXV09J1IBAAAACwHvY2UtLS2HDh2KiYnJyspKTEycA5kAAACAhQHEkgEAAAACBazzBwAAAAIF+BgAAAAgUICPAQAAAAIF+BgAAAAgUICPAQAAAAIF+BgAAAAgUICPAQAAAAIF+BgAAAAgUICPAQAAAAIF+BgAAAAgUICPAQAAAAIF+BgAAAAgUICPAQAAAAIF+BgAAAAgUICPAQAAAAIF+BgAAAAgUICPAQAAAAIF+BgAAAAgUICPAQAAAAIF+BgAAAAgUICPAQAAAAIF+BgAAAAgUICPAQAAAAIF+BgAAAAgUPwfitauuX3lVKoAAAAASUVORK5CYII=)

Screenshot: techdata.com.my  vulnerability

Mirror: Click here to view the mirror

Coordinated Disclosure Timeline

Vulnerability Reported: 11 May, 2020 20:17 GMT
Vulnerability Verified: 11 May, 2020 20:26 GMT
Website Operator Notified: 11 May, 2020 20:26 GMT
a. Using the ISO 29147 guidelines
β€” β€”
b. Using publicly available security contacts
c. Using Open Bug Bounty notification framework
d. Using security contacts provided by the researcher
Public Report Published
[without any technical details]: 11 May, 2020 20:26 GMT