Open Bug Bounty ID: OBB-1160186
Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:
      a. verified the vulnerability and confirmed its existence;
      b. notified the website operator about its existence.
Affected Website: |
neuvoo.ca |
Open Bug Bounty Program: |
Create your bounty program now. It’s open and free. |
Vulnerable Application: |
Custom Code |
Vulnerability Type: |
XSS (Cross Site Scripting) / CWE-79 |
CVSSv3 Score: |
6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] |
Disclosure Standard: |
Coordinated Disclosure based on ISO 29147 guidelines |
Discovered and Reported by: |
marwanali2012 |
Remediation Guide: |
OWASP XSS Prevention Cheat Sheet |
Export Vulnerability Data: |
Bugzilla Vulnerability Data |
JIRA Vulnerability Data [ Configuration ] |
|
Mantis Vulnerability Data |
|
Splunk Vulnerability Data |
|
XML Vulnerability Data [ XSD ] |
|
Vulnerable URL:
![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAATtElEQVR4nO2df0hb19vA801Dl2V3Ng1psFaKk2JhiLVFJCsiUkop4iSIBCfOuSJSpIgT6URGka24TlwpnZRSpDgoWylFnIwxipROii3iStYGsU5CDCHNVnGpy7qszXreP867w+m955z7Iz/U9Pn85b2595znec5zz3PvOcfn/A8hZAIAAACADGBebwEAAACAnAViDAAAAJApIMYAAAAAmQJiDAAAAJApIMYAAAAAmQJiDAAAAJApNm6Meeutt3755RfeYQ6QaY1yz2IAAGw6NmiMefDgwYsXL/bt28c8zAEyrVHuWQwAgM2ISoxZXl5+8803mT89efLk888/5x2myOTkZH19Pe8wB6A1EhhZ9VfV8v/4448PP/xwx44du3bt+vjjj58/f26sQC2y/fTTT/v373/jjTfeeeedBw8eGFCBV4Ix/vnnn/fee09ZtfZalpeXt2/fLrggRbdXleSjjz56/fXXv/76a1UbCi5Q1UKLJLnBK6LmxgIJCQaDkiRp+UlwpQEqKytv3LjBO8wBZBolEgnelcYMS8qvr69vbm4Oh8MLCwtVVVV9fX3pbSla8vz8/ImJidXV1YGBgYqKCnJee428EowJVlNT09jYqKxaey3BYNBut4svSMWYYklWVlbMZrPP50smk0joJGJJVLVQlSRneEXU3FBsxLGyR48eLS4u1tTUMA9zAKVGr732WibK//vvv+/du3fp0qVdu3bt3bv37Nmz169fT2NFppclTyaTFRUV27dvr6ioePbsmYHSUi+BEI1GDx8+PDw8nNFaUkQsSTwet9ls+/bt27JliyndTqJLkpzhFVFzYyEOQfjl6Ny5c0VFRQ6Ho6WlJRaLIYRisRgpYWxsjD788ssvJUkaGhpyuVx2u721tfXp06e4tNnZ2aqqKkmSCgoKGhoa5ufnmZVevHjR6/UqD7Eww8PDRUVFdru9ubkZC4NJJBLHjh2TJGn37t2nTp1KJpPKLy3yNuf1ek+fPk1+crvdY2Nj8Xi8o6PD6XQWFhYODAzgl0eEEO88IZlM9vX1uVwum83W2Ni4srJC9HW73Var1el0NjY2hsNhpoJETmZF+NczZ85ot6esfMI333xTXV1Nm8Xv9zscjunpaWZD0OIxzS6z8KlTp8rKyjo7O8vKyvx+v1JBVXglkEKYfqUqvPZaEELhcPjIkSOSJJWUlAwODhKfUbam7ClALCc0rO/KygpdOK0IsxaZpjwtDEiC+B6u9FjaW2w2m9frXVlZ6e3tdTqdDoejra0tHo8jYWsynxqeE46MjBw5coTI2d/f39raalhN3gPFU5PcSPct+KfBwUGn05mfnz86OsozoF5v2aSoxxiTydTW1haJRJaWlg4dOnT8+HH808LCgiRJiUQCm4YcBgIBk8nU2NgYCoWWlpZKS0sHBgbwLS6Xa3R0dHV1NRAInD17NhAIMCutra29cuWK8hAL09raGolEFhcXq6qqOjs7yWX9/f1NTU2BQGB+fr6mpmZkZETgB9evXydfypFIxGq1xmKxY8eO1dXVhUIhv99/4MCB8+fP4wt45wmDg4MVFRX3798Ph8NdXV2ky7548eLly5djsVg0Gu3u7vZ4PEwFiZzMirDWuuwpK5+0V0FBwezsLKkuFouVlJRcunSJXONUIDa7zMJDQ0OSJNlstkgkQlet7OiZFQlKENuBVxqzanEtCCGPx0PXQnyG2Zqyp0DphIb1lRVOK8KsRaYpTwtjkvA8XOmxuJlaWlrC4TD2FqfTiTsQ/G3d1dUlbk2mnXlOGA6HrVbr2toavre0tHRiYsKwmrwHiqmmIMZgUaPR6I8//riwsMAzIM9bcgxNMYY04czMTHFxMfmJOR+DbwmFQvj8+Pg47s1XV1ctFgtzTDkUChUVFeG/4/G4JEmrq6vKQ5kwt2/fJsIghJxOJ35FQgj5fL7KykqBHzx9+jQvLw8LeeHChfr6+mQyKUkS8arJyUm3240Q4p2ncblc9+7dE1tyaWkpPz9fqSAxHa8ivfZUlo8QCofDxcXFV69eRVRL1dbW0kEaXyYDCc1OW3h0dLSsrCwajdbU1Bw9ehSr7HK5EKujZ1YkKEFgB15pSglV5UQIJZNJq9VK18L8AiCtKStf6YSG9ZUVTv/NrIW+QKCFMUmYHs70WNxM5Ev39u3bZrOZfKPMzMzs2bMHCVuTZ2eeE7rd7uvXrxML4CfCgJq8B4qnpjjGyB5ApgF53pJj6JvzV34SKq8MBoNWq5Wcn5+fJ63Y1NRUXl7e09MzPDx869Ytck0ymSSvFePj44cOHSI/0YcCYVZXV00mE3lncTgcLpdLcD0WBn8oHD58+MqVK5FIZOvWreTXxcVF7Ny884RYLGaxWJjfuffu3Tt8+HBBQQEWCdcuU5DoxatIrz2V5SOE3G43+fzC1fX395vN5suXLyvFlqHRB8hTFIlEnE7n4ODg3bt3y8vLlSXwEJQgtoN24VVrwR+1dC1EWWZr0uUzndCwvogTY3i10BcLtDAgCc/DmR4rfujIoaA1Ve0sK/bMmTNtbW0IoZGREeYQsUY1EeeB0qum0uWYBtTrLZsXSwpTObr59ttvf/75Z7/fH4lEenp6Dh48+NVXX5lMpi1btuzcuRNfY2zVciKRMJvNc3NzFsv/a2Q2m8Vzel6vd2RkpKWlZXZ2dnx8PB6PG1fMZMKzsjI8Hk97e/vFixetVms4HD569KgpreuwmfZUlv/o0aP79+/fuXOHnHn69On4+PjVq1dPnDjR0NCwbds2fH7Hjh2yKh4/fqxFksePH6+uru7fv99kMu3cuXNsbMzj8czNzVVVVTGvV1Y0Pz+vqwRxaTyx9cpJw2xNGqYT8iQ0rK+gFi0YloTp4ZlA1c4yGhoasKjff/99W1sbPmlMTV4HlRZkBkyxHTcT4hBk7DvGRH0FT0xMML+CfT5fYWGh7GQymXQ6neSzVHYofkWSJEn2Nbq2tmY2m+nva/r6RCLhcDjOnTvX0NCA+GNiGsfKfD6f7OTvv/9usVhofe12u0wjWi+NY2ViezLLTyaT9JlgMGixWPB8Zl1d3YkTJ8hPvLEyVR/AgzOLi4vkso6ODpPJhKdVtYyViUsQ20H7WJlqLbJRpomJCawsszWV5Sud0LC+iPMdw6tFMFZGtDAsCdPD9Q4ioZe/Y5itqdHOsmJLS0unpqbsdjt52I2pSUM6KKaagr6F+dXONCDPW3IM4zEmHo9bLBbSZuSQzOaFw2G/319eXo5n8+bn548ePXrz5s2VlZVQKNTe3l5XV0dKxsOg09PTpaWl5KTsUOxnx48fd7vd+B1kaGjo008/RQhVVla2t7dHo1E8TygbMWhubs7Ly7t27Ro+bG9vr6+vV87t886TodvBwcHKyko8oXfixAkyI+pyuS5cuBCLxRYXFz0ej91ul2kk04tZkS57MstHL/9rBW3GhYUFq9V6//595S1azE7/1NnZefDgQb/fv7KyMjY25nQ68/PzP/nkE4TQ2tqaxWJZWFgQr5wRlCCwgxjlAy+uBf03W05qIcoqWxMpngKmExrTF/FjDLMWmZF5WhiThOfhSo/VFWOYrcm0s7hYvFqM7k8MqCnooJgPJq9vYcYYpgF1ecvmxXiMQQgNDAzYbDa8apMc4rXLyrW2z549GxgYKCkp2bp1q8vlamlpiUajslp6e3v7+/tJ+bJDsTCJRKK7u7uwsNBms9XW1uL3DrwWTpKkt99++/z587InbWJiQpIkMiGpa+2y7LXx5MmTTqfTarV6PB6ysnN6erqiosJqtebn5/f09NjtdplGMr0EFSlXeTLtyStf9pzTZuzq6qqurkZ8NMaYRCLR19dXVFRktVoPHDhw5cqVQCBgs9nw49TX10e7ChNxCUH+Gm7twqvWgl5e9Ts8PEyUVbYmPk8/BUwnNKYv4scYXi20kXlaGJOE5+G6FvWil2MMrzWZdhYX6/P5TP8tHzespqCDYj6YvL6FGWOYBtTlLZsXlRhjAI0TvExKSkru3r3LO8wBmBqlYjEt5WeONEq+oeoCMk16WzMej1utVtlSLmCDkNU5f1UePnwoOMwBMq1R7lkMAFS5ceNGVVWVak42YF3I0ZUMm4fnz5/PzMwUFhautyC62bySby7+/fffL7744tdff11vQXSQTZmfPHmCVy1noa4ssIPDn3/+ud6iGWRjfce8gnR0dExOTo6Ojq63ILrZvJJvLrZs2fLixYve3t7vvvtuvWXRSjZldrlcdXV1ra2tma4oO+C5JSXpypW+DqiOpsViscHBwSwM2926dau8vNxms7ndbvFKJ+3I5hjTUiZBVeDu7m6r1ao6FZlNqVJpTY33CgTIwpxKIpFoamrirapXTduVFnC748UvaSkwmUweOHCAnmnD67KU7Xv16tXs6KiKUmYlvKZZXxfCZK3fy3nUY0zWGjUTabdp3xWnRjeArsTsWUMsVSqtqfFesQBpbwVZ4cp8/lmOMXS7Z07Z4H+JBGXn3W73BokxWuA1zTq6kFI2IEU20HxMptNupz01uq7E7Flj3bOXiwXIaIJ6Zj5/i8VSUlJC/5FR6HbPqLIWi+XatWuPHj0iZ+7cucMbadmY8JpmHV0ISD/iEERnL3///feVabR5/72B0prnPMhKl83LnB9mZTWn35gEC+017j6gKjAzMbtMfsN50Q2bUWMueqYRlPcaEIA2vmoKd8MWMPYGqj19vUxOOtU83e70WJnSAVLUFN/u9Xrpf4fyer3Hjh2T+bPMyEpJPB7P0NAQvt7n823dupVktOzo6Ojt7WWWIzBC6mh3Ie1Pq64NOGTezuvKIpFIbW2tJElFRUX0PyEJfIa2vPaNCQSmVt15ZN1RHysjCcZDoZAyjXaQn6M7jXnOg6x02bzM+cys5hpjDDO5t7E84bLE7Er5DedFN2xGpC0XPS/DOX0vr3bVdiTGF6Rw12IBgQDGYoz29PWIckjlfgf0Jhd0jJE5gK62VoJ1nJ2ddTgc+K0uFArl5eXNzc3R/qw0slKS0dFR0tOdPn3aYrHg/NwIoeLi4ps3b4obi7fXRipodCGNe4Vg9G7AQXs7rytraGjweDzRaHRpaamsrIxYXuwzxPJh1sYETMcWmFp155F1R998jDKNdpCfo9uZvjznQVa6bBqSA5yX1VxLjOEl9zYgsKwipfyp5EVPl1TMNhJswUDfy6xdVQBe7y9L4a7FAjwBBLWI0Z6+nsgp3u9A7AC62loJKby6uhp3eSdPnuzo6BDMOWEjKyWJRCI2mw23eGVlZU9PT3NzM64iLy/v2bNnzHLERkgFjS4kcFQmujbgQC83H7Mrw10N8Q3S1Yh9RtaJKXtUpmPzTK0lm+K6oy/GKNNoBzk5utOb55zZazBzgPOymmv8juHtPqBXYKToYmTyp5IXPV1S8dqIZwQtfbf2dtSbwl2jBTTKKXtP1JW+XiwnL8bIREpRU3L75OTknj171tbWHA4H/jyib1QamWmc8vLymzdvRqPRwsLCWCzmcrmSyeTo6ChOF8ssR1UFJcyPTiXaXUj706p3Aw66It5jIvMN0tVo9BmMxo0JeKZW3XlkI6Dv/2OYabSZZCHPud4c4FpgJvdObyL6dJG6VLw20pLhnJlOX1fm/BSbz/A2BBjm3HiWV2ekhXfffffkyZNer9ftdu/du3d5eZn+VaORa2trp6amAoFAXV3dtm3bysvLp6enp6amamtrdZUjRst6BF0upDcVv/YNOGgymoRf2aOm6NgbEdUoJAuhsjTasrEyOuO6lL4858pXAF4OcF5Wc1KCOOE/DUnubUBgpPYam0pedMNmVErCayOlEWT3Mr/otbejsRTu9GEmxso0pq8Xy5nl7xiE0KVLl0wm09TUlOxGppGZxpmZmamsrKyvr//hhx8QQhcuXOjq6srPz8fTIcYayxgGugIilXKvEBrtG3AoK2I+JljUYDCID7WMlTEll/WovLEypqlzZKxMlr1clkabzPmHFTm605jnnNk8zBzgiJPVnC6Bl5RbvPuALoGRWheDUsiLbtiMSEMueoERZPcaEEA2Yas3hXsax8qUaE9fL5Yz+zEmkUjgmXnljUoj84zjcrlcLhfZqDgvL48eYjXQWIbR6EK6nlakZwMOfJ72dl5X1tjYiJdR+P1+es5fi88QtGxMIDA1b+eRjYOmvMt09nJZGu0gP0d3GvOcM5uHl2s9zMpqTpfAS8otSO6tV2CkIcYYzotu2IwYcS56sRFkuznoFYBW0EAK94zGGO3p68VyZj/GyM7TNyqNzLuxubm5sbGRHFZUVNCrog00lmE0upCupxXp2YCD3EK8ndeVRaPRuro6SZKKiorOnDmjZe2yUjAtGxMITL3x1y7/DyGka2ztr7/+cjqdkUgEZzldXl4uLS3dvPnaAAAAUufhw4fV1dW//fab3htlPWruoXvyCtJoAwAAyPD5fMXFxQZuzPkeVd+6MpxGu6mpKUPSAAAAGEa5KAsTCAQykbf4s88+KygoqK+vDwQC/f39p06d0lvCq9Cj6osxOZZGGwCAXCLLifFramq6u7s7Ozt3797d1dX1wQcf6C3hVehRdc/HAAAAAIBGNlDeZQAAACDHgBgDAAAAZAqIMQAAAECmgBgDAAAAZAqIMQAAAECmgBgDAAAAZAqIMQAAAECmgBgDAAAAZAqIMQAAAECmgBgDAAAAZAqIMQAAAECmgBgDAAAAZAqIMQAAAECmgBgDAAAAZAqIMQAAAECm+D92Ufi1lo5e/QAAAABJRU5ErkJggg==)
Research’s Comment:
![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAHCElEQVR4nO3cX0hT7x8H8Mdt6BpnuqGe0jRd0Iq6aOWQEUYUUTFGaO3KlkmJ80LKpCC8qOWF0sogg/AmMC/qqhAJERoRJiP6IybDhoTpWiNiroyjrTF3fhcPv8NhbmfTOny/33q/rs6ePc/z+ZyPcj7bOVYOz/MEAABABop/OgEAAPhjoccAAIBc0GMAAEAu6DEAACAX9BgAAJALegwAAMgFPQYAAOSCHgMAAHLJ3GPm5uaUSuXz58+TBvV6vcSqhYWF7u5uYbJWqxXeOn/+/Lp16+7du5c0nk0mKYMKsVa74a9bwykI88UlAgD4I2X1PSaRSDQ2Ni4uLma/77dv37q6uuhxRUVFOBymx/Pz8729vS9evHA4HOLxXyGO9S8nPuX/UNoAAGuTVY/RaDQ6ne7ChQtrDpOXl0cPOI7TaDQ7d+5UKpXi8b/HX3jKAPDXyqrHKBSKgYGB/v7+J0+eJL21uLjodDqLi4vLy8uvXr26vLxMCFlYWKisrOQ4LicnR3xPbH5+PuU4IeTnz59nzpzRarUVFRVXrlyh+xBCPn36dPjwYa1Wu3Xr1vv376/MTRzr4cOHhJBbt24ZDIbCwsKTJ08uLCwIM9OFoOrq6q5fv06P3759m5eXJ6x1Op0XL16UWH7t2rX169fr9fpTp079+PGDDr569Wrv3r1arXbjxo3Hjx9/9+4dEd0rSypRxvTSlVo6bafTqdVqe3p6DAaDXq8/ceKEdEFoet3d3cXFxSUlJXfv3k39CwEAkJ1sn/nv2LHD5XKdPn1afJEihJw9ezYUCo2Pj4+MjAwNDd25c4cQUlBQ4Pf7GYaJRqMOh0OYXFhYmHKcENLZ2bm0tDQ5OTkyMjI6OtrX10fHW1tb8/Pzp6amhoeHU/YYcay6ujqO4yYmJrxe78uXL0Oh0KVLlzKGoGw2m8fjocePHz9OJBIjIyP0pcfjsVqt6ZZzHPf6/8bHx91ut7BhY2NjIBAYGxurqalRq9Xp0qalkE4vXaml096/fz/HcZOTk7QggUCgo6NDuiAcx/n9fp/P19/fX1NTs7LgAACrwGcyOzvLMAzP8/F43GKxNDQ00EGdThePxxmGmZmZoTOHhoYsFkvSqiyPi4qKOI6jxxMTE9XV1TSiWq0OBAJ0/NGjRzqdTiLD2dlZQsj379/puNfr3bx5szAtZQhBKBTSaDTRaJTn+erq6vb29vr6erpnfn5+LBZLuZxGFGdoNpt5no9EIiqViu6WMtWk44zppSu1dNrv378XF2RsbEy6IPR0IpHIyiIDAKyBKvtupFQqBwYGTCbTsWPHTCYTIeTLly+xWMxgMNAJ27Ztoxep1fr69Ws4HK6srKQvE4mESqWi+xNCysvLhf0zbsUwjHD/rbS0NBKJSIcQlJSUGI1Gr9e7ffv2UCh0+fJlo9G4vLzs8XgOHjzIcVy65Wq1WpxhIBAghOj1ervdbrFYDhw4UFpaajab9+3bt4YKCNKVWjptlUolLkhZWVnGgjAMI/0XgwAA2VtFjyGEbNmypaurq7m5eXh4+DcmEY1GFQrF69evhQurQvGb/+FONiGsVqvH45mZmbHZbAUFBSaTaXR0lN4oW0OGDx48ePPmjc/nC4VC7e3te/bsuX379q+kl45E2hKrUkaMxWJZBgUAyMbqegwh5Ny5c4ODg62trYQQlmVzc3M/fPhAP1/7/X7hc/GqlJSUaDSaSCSya9cu8TjLsoSQjx8/0i8K09PTa9hcOoSYzWZra2vbsGFDS0sLIaS2tnZwcPDZs2c3b96UWB6NRsUZbtq0SXirqqqqqqqKEGK1Wm02m0SPyZieRKkl0pboGSkjzs3NpZsPALAWGe+mJT024Hl+ZmaGYRj6aKSpqeno0aOBQMDn8+3evbu3t5fO4ThOpVJNT0/z2T2PaWlpsVgs9FO/2+3u7Oyk47W1tXa7PRgM+nw+k8mU8nmMECspVfrQSHiZLoQYy7Isy9LHG8FgMD8/32QySSynN6zEGbpcLp7np6amjhw58vTp03A4HAgEmpqabDZb0imLS5RNeulKLZH2aguy8mcNAPAr1tJjeJ7v6+ujVyuO45qbm4uKisrKylwuVzweF+a4XC6NRtPf359Nj4lGo21tbWVlZRqNxmq1Cg+3g8HgoUOHGIYxGo03btxI2WOEWD09PRKX1HQhxOrr6+12u/DSbDZ3dHRILKen4Ha7WZbV6XQNDQ1LS0s8z8diMZfLZTQac3NzWZZ1OByfP39eWUyhRNmkJ1HqdGlL95iVEdFjAOD3yuF5/p/+KgUAAH8m/J+YAAAgF/QYAACQC3oMAADIBT0GAADkgh4DAAByQY8BAAC5oMcAAIBc0GMAAEAu6DEAACAX9BgAAJALegwAAMgFPQYAAOSCHgMAAHJBjwEAALn8D2L6N2nKxKqvAAAAAElFTkSuQmCC)
Screenshot: ![neuvoo.ca vulnerability](/twimages/screen-1160186.jpg)
Mirror: Click here to view the mirror
Coordinated Disclosure Timeline
Vulnerability Reported: |
13 May, 2020 15:01 GMT |
Vulnerability Verified: |
13 May, 2020 15:11 GMT |
Website Operator Notified: |
13 May, 2020 15:11 GMT |
a. Using the ISO 29147 guidelines |
![](/images/done.png) |
— |
— |
b. Using publicly available security contacts |
![](/images/done.png) |
c. Using Open Bug Bounty notification framework |
![](/images/done.png) |
d. Using security contacts provided by the researcher |
![](/images/done.png) |
Public Report Published |
|
[without any technical details]: |
13 May, 2020 15:11 GMT |
Vulnerability Fixed: |
15 June, 2020 14:37 GMT |
— |
— |