logo
DATABASE RESOURCES PRICING ABOUT US

auctions.bertolamifinearts.com Cross Site Scripting vulnerability

Description

Open Bug Bounty ID: OBB-1161364 Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[auctions.bertolamifinearts.com](<https://auctions.bertolamifinearts.com>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[XSS (Cross Site Scripting)](<https://www.owasp.org/index.php/Cross-site_Scripting_\(XSS\)>)** / CWE-79 CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **g0bl1nsec ** Remediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAKrUlEQVR4nO2ca0gU3xvHp9V+eRnvu17WFTVCJMJ6IaJgF3whJSJa3jItIzAIDZMStajthqUYFWG9SNBXvRPxRYgIgS2LqNjkvZTQNS/Jrra22rqt7u/F8B/mP3Pm7LjO+Nf+z+fVnNlnz3m+3/PMnpmzq/scDgcBAAAAADKg+F8nAAAAAPy1wBoDAAAAyAWsMQAAAIBcwBoDAAAAyAWsMQAAAIBcwBoDAAAAyMXuXWOio6M/f/4s1AQAuRFZchJWprQj7pVL5i+TA3DYpWvM0NDQ5ubm0aNHkU0AkBuRJSdhZUo74l65ZP4yOQAfJ2vM9PS0j48P8iWz2VxbWyvU3Cbt7e0ZGRlCze3DZIsRuH0k6dypsRJK4Hd148YNT0/PZ8+eyecSG2mraDvQJcc2BJmba5WJ78pkMhUVFalUqvDw8Orq6j9//mwnbDsIlZbTkhNfk+w819fXz58/j3yj5J8AwM7hwDI1NUWSpJiXMJEukJCQ0NnZKdTcPuxsrVarhD0LjSJfJ9I6z3bDaDQqFAqKoux2u3wusZFWy3ZgSo4RjszNtcrEd5WWllZQUPD9+/fx8fHExMQ7d+5sJ2w7YKbDaT2ILBi2z6dOncrOzkaOKPknALBj7MY1Zm5uzt/f32azIZuSsDOfZXtxjdmZnnfPiEiQJcfPzeXKxHRlsVgUCsXPnz/p8zqdLiYmxuWwrSbmNE9pYec5NTX16NEj5IhyfAIAO4ao72NevHgRHR0dFBRUVFRkNpsJgjCbzVFRURaLZd++fS0tLewmva9SX18fEhISEBBw6dKl379/0/309fUdP37cx8cnPDz83LlzY2NjyOHa29tTU1P379/Pb/b19SUlJXl6eqpUqpycnNnZWYL3YD49PR0QEEAfb2xsVFdXh4SEeHt75+TkmEwmTvKcXaDV1dWrV6+qVKqIiIj79+9vbGww/Tc0NERHRwcEBFy4cIE2QaSip0+f8q1YX1+/cuWKj49PZGTkvXv32APV1taqVKqwsLCmpiaOz0IZssFYREvw9vbOy8szmUy3bt1SqVRBQUGXL19eXV3lOGkymZAuYdxAikKmxFfKLyox3iLn1+kkYhzglBxjCH8iOJWJzASpHd+V0Wj08vLy8/Ojz2s0msXFRX5iIsPw9cDxX0gC//Jn10leXt7jx4+ZoZOSklpaWtgBmIpl5xkZGXn79m3+FBO8DwRgb+F8jbFYLBRF6fX63t7eubm5qqoqgiD8/PzGx8dJkrRarYWFhexmVlaWxWLp7e3t7+/v7+8fGBioq6uju0pPTy8uLjYYDDqdLjk52cPDAzki5suYgYGBkpKShYWF4eFhjUZTWlqKT76urq6rq6urq+vr169qtXp0dJSTfFZWFjv++vXrc3NzAwMDHR0d7e3tjY2NjAmDg4O0CQaDoaamRqQii8XS/x/YVjx48GBtbW1wcLCjo6O7u/vNmzdM/Pj4+PDwcHNzc3JyMsdnTIYMQhbR86jT6SiKmpubi42NNRqNg4ODPT09U1NTjCKGoKAgIZeE3BAShUyJo5TgFZWYakHOL2YSRTrA3/3nTwQnDJkJUrvTrjC4EIapB47/SAnIy59Nbm5uW1sbfTw/P09RVGZmJjsAU7HSqgZ2KfjHnKmpKYIgVlZW6KZerz948CDzEnKvjH6LwWCgz7e2tsbHxzscjqWlJXd3d+QurcFgiIqKoo8tFgtJkktLS8gmm8nJydDQUGQm/v7+9HFwcPDAwABSF5Mt81673U6S5Ldv3+hme3t7YmIi3wSdTkebgFHEdo9vhcPhUCqVFouFPqYoKiEhgYnniHWaIWZDg20RQRDsrRWFQrG2tkY39Xr9oUOHkE7yXRJyQ0gUMiWkUvZATr2l4c8vfhKdOuD475LjCGebw6lMoUrja8d3hSlmF8IwCfD950sQuvzZo6+trfn6+tJF3tjYmJGRwQ4Qmg6hPPnFjJED7AncnS5CJEkyj71qtXppacnpWzw8PCIiIujj2NhYg8FAEERAQEB2dnZiYmJKSoparY6Pjz958iTTrV6vp487OzsTEhKYzS5O89OnT5WVlaOjozabbXNzc3NzE5OG2WxeWlqKi4tzmjDN4uKizWaLjo5mMqevMY4JGo2GNgGjCG/F8vKy0WiMioqiz29ubrq7uzMDMWK3lCGDkEUkSbK3Vnx9fT09PemmWq02Go2iPBJ2AyMKmRJeqRhvkfOLn0QxDnBKTgh2GKbSxFSsCyOKD8PUA7srIQlOL39PT8+0tLS2traysrLW1tbi4mL2q5jpkFY1sGvZ0b+Peffu3du3b+Pi4mw2W0VFRVlZGX3ezc0tLCyMPsb/ajkzM/PEiRPd3d0URb1//17MoG5ubtIp4CKkCI/ValUoFP39/RRFURQ1ODhIUZRUKblgkSRgRLmWkkhvJZ9flzdwkJmI0S7fRpnIBBhcM5PeLlteXu7t7RW/qQUbZf8v4B9zMI/kIvfK2tramA0iNhRFaTQazkm73a5UKpkna05zcXHR3d2d3QOdzMrKikKhYO/esPfKKIrC6BK5VyZkAl4RxgqSJPlbK8hdry3tlQlZhJfANEXulQl1hRSFTElof0/oPLJaHKj5dW0SmSan5ISEc8KQmQhpx3cl9IMx18JE1oOQBCHTOOetVmtgYODz58/Pnj3LeaPQdPANRI4oFAbsIVx/jlEqlVardWJiAtmsqKiYnZ0dGRnRarXp6ekEQYyNjZ05c+bDhw8mk2lmZubVq1fHjh1jeltfXycIQq/Xh4aGMk/WnKZKpQoMDHz9+rXZbJ6YmNBqtfR5Hx+f+Pj4ioqKHz9+TExMsL+WLC8vLykpGRoamp2dLSsr+/jxIzJbGjc3t/z8/PLy8pmZGTrzgoICjANCimgtDHwrCIIoLCy8du3ayMjI/Px8fX39w4cPxfiMzDAwMNBqtX758mVjY0PIop0BKWpLKTFiMdXCtpc/v1udRA6ckkPmhgxDVpqQdkxX3t7eqamppaWl8/PzdDHn5ua6HLYl84UuFqccOHDg9OnTd+/ezc/P57wkNB0Yn9mIDAN2NfglCH/3p9Vqvby8mpub2c2GhgaSJJ88eRIcHOzv73/x4kX6m1WbzabVamNiYv7555/g4ODCwsKFhQXOKDdv3qypqWH65zQdDkd3d3d8fLyHh0doaGhFRQWTzOTkZEpKCkmShw8ffvnyJXPebrdXVlYqlUoPD4/MzEyj0chJns6WOWmxWEpKSpRKpUaj0Wq1drsdYwJSEf/Ot66ujmOFw+GwWq3l5eUajcbLyystLY2+UxO6i2f7jMywqqqKCUBatDPPMUhRyJQwv1OgxTY1NSGrhX+fy5/fLU0ip8kpOc67mIngV6ZQpQlVLKarxcVF+tZBrVZXVVXRfxficpiYehCSIPI5xuFwtLW1kSTJlDc7ADkd/DyRhguFAXsIJ2uMC2zn77ZiYmJ6enqEmgAgNyJLTsLKlHbEvXLJ/GVyAAz7HA6HtA9G09PTR44c+fXrl7TdAgAAAHuOXfp/lwEAAIC/AFhjAAAAALmQfq8MAAAAAGjgOQYAAACQC1hjAAAAALmANQYAAACQC1hjAAAAALmANQYAAACQC1hjAAAAALmANQYAAACQC1hjAAAAALmANQYAAACQC1hjAAAAALn4F84obAPOk49PAAAAAElFTkSuQmCC) --- HTTP POST data: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAJjUlEQVR4nO2dTUgbXRfH54lR0zAFnzgNwVckSnFVVIoVoVKCuKkECRKCSrDiQtpQwzRIKS4kKKTSph8UoS6ktCB0U6S4KFIKLalIEZHxszbGEL9iWmKIJZSpHXqfxfAOYWYyGTWjaT2/XSbn3vv/3xw9c+/c6D8IIQwAAAAAFEB10gIAAACAvxaoMQAAAIBSQI0BAAAAlAJqDAAAAKAUUGMAAAAApYAaAwAAACgF1Jg/htLS0rm5uZNWASjF3NzcjRs3JAJ+/frV2tr69etXOb1BtgBZAtSYP4OFhYXfv39XVlaetBBAKTo6OoxGo0RAbm5uXl5eT09P2q4gW4DsQVaNuXXr1pkzZ168eKG0mrSsr6+fPXs2I13t7e3dvXv3GAbKSIfj4+NNTU3Ho0F6ZpL7WV9f//fff4+o6kBkykI2kCxyd3d3fn6eJEnu3Z8/f7a2tvLMkiT57t27tD1nVbYApx2Ujmg0qlKpKIpiGCZtsNKEQiEcx4+nK5qmMzKQzOGkqampefv27dFlyDGVVioXEAqFCgoKjq7qQGTEQjaQLJInmKZpk8lktVp5LmT6yqpsAU456dcxiURCq9VWVlbm5OQcQ83LHvLz8zPYm1qtLi8vP1zbnZ0dv99vMpmOLiMjpjgvRzF1aDL7uWQnkUikoaHB6/Ueom22ZQtw2pEuQdFolIt8/vx5qrDp6em6ujocx4uKipqbm5eXlxFCNE13dnbiOF5SUtLX18ctg6anp2trazUaDUEQVqt1a2sL/f9uyOPxEARhMBhGRkYQQgzD3LlzR6/Xa7Vaq9UajUbZsMePHxuNRp1OZ7fb4/G4tAVRbfF4PNmXcPTkW3Ucx71er9FoLCgoaGtrSx4xHA43NjbiOG40Gr1er8yb+omJiQPFDA8P22w2CTsScyVqivN17949vV5fUFDQ3t7+48cP4czIkSrTVHKAqAuFLIhqS9VWNA8TiURXVxdBEMXFxW63m83k5MTQarU2my0ajfb09BAEodPpOjo6EomEfJGiqwHhxVSLhlTZkg1TDZxy0u+Vrays4DhO07TEXplerx8ZGYnFYsFg8OHDh8FgECHU29vb0tISDAaXl5dNJtPQ0BAbPDw8/OzZs3g8HolESJK0WCwIoVAohGFYe3t7JBKZmJhYWVlBCHk8nurq6vn5+a2tLafT6fP52LCOjo5wOBwIBOrr669fvy6tX1Qbz5dw9OQaw74VDof9fn9dXZ3D4eA6b25utlgskUgkEAhUVFRwNYYQkCzJYDDU19fPzMyICp6enq6vrzcYDNyVxsbG0dFRaTup5krUFOfLarVubGwEAoELFy643W7hzEhLlWlK6EjUhUIWRLWlaiuah52dnWazeWNjY3Fx8eLFi0+ePOEi7Xb71tYWmxgEQbCZyS4jnE6nfJGHrjHS2ZINUw2cctLXmLT7rbFYTK1WC7duCYJgb+UQQhRF1dTUCNsGAgH2x4NN4lgslvyuXq+fnZ3licEw7Pv37+zLqampsrKyQ2hDgt1w3ui8GsONODk5yY3IMIxGo+F+y4+NjXE1ZktA8tCJRMLj8eh0OpvN5vf7uet+v99ms+l0Oo/Hw01dIpHAcZzVJmEn1VyJmuLe3djY4MRXV1cLw1JJFSIaKeoolQuFLIhqS9VWOCLDMDiOc5/y+Ph4bW0tF8ktaicnJ1UqFXt3jxCampo6f/68fJGHqDFpsyVLpho45WSgxiCEWlpaqqqqXC6X1+v98OEDQigWi2EYxt3F63Q6vV7PBs/OzjY0NBQVFbHX2d/LwlHi8bhareYtnnhhcp45C7UJu5L4YZYYMRwO5+XlcW8tLy8f6AF4LBazWCxqtZq7olarLRYLb/dvbGysvr5e2o6cuRJa1mg0yeK5D0jYUChVpilRR6IulLbA05aqrbAh71P2+/3cXZFEKnIvZYo8RI2Rky0oC6YaOOVk5vsxL1++HBkZqaio2N/fd7lc3d3dNE2rVKqZmRmKoiiKmp+fpyiKDbZYLFeuXPH5fBRFvXnzRrrnox80EGo7YodyOCeAF7C2tnbz5k2fz9ff389d7O/v9/l8DodjbW2Nu8g7hyphR6FDGaJSZUaKOsJSu1DuXIl8F38KcrIFg6kGTpy0VeigZxMpiiouLkYI4TjOW48jhL59+5Z8d0NRVKp1DEJIr9dTFCUh5qBnZzltKBPrGHavLBQKsS/l75Vdv34dx3GXyxWNRnkKo9EoSZI4jrPPmRiGIQiC26iRsJN2roSWsaTdj9evX4vufkhI5ZEqkudIwoVCFkS1pWorHFFir0zmOkaOyMM9jzlQtqATmmrglJOBdcznz5+vXr36/v373d3dzc3NoaGhqqoqDMPsdrvD4VhaWtrZ2bl///7AwACGYefOndPpdE+fPt3b21tdXXW73RI9kyTZ1dW1sLCwvb3d3d398ePHTGnDMIwgCJqmV1dXD+MZwzAMy8nJMZvNJEmur68vLS0le/mfgOSGiURicXHxwYMHhYWFvD4LCwsfPXq0uLiYSCQwDJuamjIYDKWlpWntHG6uXC7X9vY2K95sNrMXk2dGQiqPVJE8RxIuFLIgoU20LY+cnJyWlhaSJDc3N9nItrY2OcIOJFKlUjEMk7YfhmHUajX3UjpbsGyaauD0krYKpV3H7O/vu93u8vLyvLw8vV5vt9sjkQhCiKZpkiSLi4u1Wm1jYyN3e+Xz+aqrqzUajcFgcLlcEusYhmFu375NEIRGo7FYLNwJy2Rt0uuYVNpY3G63VqsVPTkqZx2DEIpEImazmT27PDg4mPEvJPb09PT29sqxk3aukNiN8+DgIO80Kgs3M5m1I+3iOC2kaiuahxJnl5M7TLWOkSOSpmmNRsN7SC4U8+rVq4qKilQTy8sWlB1TDZxy0tcYQCYrKyvcg9BMUV5e/unTp8z2yXLQLdAs5CgWjs2+/IGcTifvcT0PmqaNRiP7lR1RIFuALESdfqUDyIOiqLKyssz2+eXLl8x2CGQtXq+XOxcjSn5+/ujo6OXLl1MFQLYAWcgBaozwcBRLMBjM7J+PPAQnpW1gYKCoqKipqSkYDPb29vb19Sk3FvB3k5ube+nSJekYiQIDANnJAWpMqpusEy8w2MlpM5lMJEk6HI6SkhKn03nt2jVFhwMAAPiz+AchdNIaAAAAgL8T+B9lAAAAgFJAjQEAAACUAmoMAAAAoBRQYwAAAAClgBoDAAAAKAXUGAAAAEApoMYAAAAASgE1BgAAAFAKqDEAAACAUkCNAQAAAJTiPxGSCYsWAdCHAAAAAElFTkSuQmCC) --- **Screenshot:** ![auctions.bertolamifinearts.com vulnerability](/twimages/screen-1161364.jpg) **Mirror:** [Click here to view the mirror](<http://1161364.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 14 May, 2020 13:22 GMT ---|--- Vulnerability Verified:| 14 May, 2020 13:32 GMT Website Operator Notified:| 14 May, 2020 13:32 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 14 May, 2020 13:32 GMT