logo
DATABASE RESOURCES PRICING ABOUT US

comerto.com Cross Site Scripting vulnerability

Description

Open Bug Bounty ID: OBB-1163627 Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[comerto.com](<https://www.comerto.com>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[XSS (Cross Site Scripting)](<https://www.owasp.org/index.php/Cross-site_Scripting_\(XSS\)>)** / CWE-79 CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **g0bl1nsec ** Remediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAPhUlEQVR4nO2df0xb1RfA36CwrnQwSnnroNtgLhtZFtYoVqJoFrcYJIR0E5ER4pgSZAubWFHpNAuShRksatQQYtBsapx/zGUhi8EFp1aCyljTscpYHdiVrsNZsOjbVrqy9/3j+n3f932/+ih9Xdedz1/v3nfuveece98771dPF5EkiQEAAACABCTcaQUAAACAuAViDAAAACAVEGMAAAAAqYAYAwAAAEgFxBgAAABAKiDGAAAAAFIRuzEmNzf33LlzfEUgmoDzgXgF1rbUxGiMOX/+/O3btzdt2sRZBKIJOB+IV2BtR4EQMeby5ctLly7l3DUzM3Po0CG+4gLp6ekpKyvjK94LRNafCyH6zhdYdXzMzs7u2LGD0eqvv/7atWtXZmZmdnb2a6+9duvWLVT/0ksvLVmy5MiRIxHTWASMQSOoA6ftd5aQMxgR88NYJwwisrbFqBE7h/MdgBTE6XQqlUoxuwQkw0Cv1586dYqveC8QWX8uhOg7f762+/3+zZs3l5eXM1qVlZVVVVW53e7R0dGioqLm5maSJL1eb0JCgs1mCwaDEdabH8agEdSBz/Y7i/AMRsr8hR8jkVrbfr9fWCB2DufoE4vPyq5evepwODZv3sxZBKLJXeH8ycnJrVu3ms1meuXNmzetVutHH32UnZ29fv36d95559ixYxiGEQShUCg2bdqUmJgYNQ0Zg0ZQB07bY5xImS+TydatWxd28wiu7cWLFy+8k7hFOASh8Pvee+/l5OSoVKrq6mqfz0eSpM/no3o4fPgwvdjR0aFUKtvb23EcX7Zs2bPPPnvjxg3U2+DgYFFRkVKpzMrK2r59+8jICOegXV1dFRUV7KLBYGhvb0eVNpstOTkZKUOSZF1dXVNTk7DA2rVrhZsz1AgGg83NzTiOKxSK8vJyr9dLkiRBEHV1dWq1WqvVtrS0oAsx5CWz2ZyTk6NQKCoqKrxeb1NTk1qtVqlUNTU1BEGgPv1+/3PPPadUKletWnXgwAF687a2NrVardFouru7Ge7lHDQK2jLmgm/6OI0aHBwsLCyUy+Vqtbq8vNztdnNayqk536oTRvhS8Ysvvnjssce8Xm9Ix7KVnJfH2DAGpRfRwSKmZ+FjR+RlcizMYHhTENI0kiR7e3vnJRBybfPZxVCMcj7aYJ/6GIezGFXjidD3MQRB2Gy2gYGBwcFBj8fT3NyMYVhaWtro6KhSqfT7/dXV1fTitm3bCIIYHBwcGhoaGhqyWq3t7e2oq9LS0pqaGpfL1d/fX1RUJJfLOUfkexlTWlra19eHKk+ePHn79u3e3l5U7OvrKykpERYwGAzCzRlqtLe39/X19fX1ORyOrKyskZERDMP27dvn8XisVmtvb29PT09nZyfdS/39/TabzePx5OXleb3e4eHhn3/+2el07t+/H4m1trbeuHFjeHi4t7fXYrF0dXVRzUdHR+12++HDh4uKihju5RtUam0Zc8E3fZxGWa3Wurq6yclJu92u1WobGho4LeXTnHPVhc3FixebmprMZnNGRoYYx7KVFO8xNoxB6UV0sIjpWeSxI0wszGDYU5DJgmFdTU3Nli1bzp49yzb8zJkzW7ZsqampoVeGXNt8djEUo8N56mMczsKqxiHCIcjpdGIY9vfff6PiwMDAmjVrqF2c72NQE5fLheqPHz9eUFBAkuT09LRMJuN8cOlyuXJyctA2QRBKpXJ6eppd9Hg8CoUC9aDX641GY1VVFRoxNTU1EAgIC7hcLuHmDK1wHLdarfSaYDCoVCrHx8dRsaenp7CwkDKZulLr7+9PSEig7t4GBgbWrl2LttVqNXVlarPZ9Ho91ZwymeFPvkGjoC3d+QLTx2kUnUuXLmk0Gj5L2ZoLrDoB+K7l3W73mjVrvvzyS4aYsH/oSor3mEjdGAdLyJ4FnC9sO53YmcEwpoAkSTcLhpIEQbS1talUqoqKCofDgSodDkdFRYVKpWpra6PfbopZ23x28R2qfKc+kjVBnKrGK/N75+90OpctW8a3i3K0XC6n6kdGRnAcR9uVlZU6nc5oNJrN5u+//56SCQaDHo8HbR8/fvzxxx+ndjGKOp3u9OnTk5OTWq3W5/PhOB4MBru7u7dv3y5GIGRzCp/PJ5PJGE+lPB5PcnIyVXQ4HNSBx+clenF6ehrDMPV/UalUyDOcJwiqkm9QqbUlWc7nnD4+o6xW69atW7OyslAl6pNtKafmwhqqaQi0oigsLHz//ffZYiL9My+P8SFwsIjsme/YEbadQYzMYBhTIJ7p6WmDwSCTyVBRJpMZDAb2s9aQa1uMXYxKgVMfZ0OGqvGKTPIbJRpHjx49e/as3W73eDxGo/Hhhx/+4IMPMAxLTExcsWIFkhH+armkpKSvr298fLy0tDQtLU2n01ksFvqTLmGBkM0ZRPa1sN/vT0hIGBoaksn+dXtCQiS/uYj4S2yG8zmnj88og8FQW1vb1dUll8vdbndxcXGkNLfZbOKFr169Ojw8/NNPP4lvEpvwHTsL7yT6Mxge7Idjf/75J6NmbGzswIEDFoultbUV1bS2tprN5j179rS2tt53332UZMi1ffDgQUxKu9iqxi3CISi8+xiMdsN44sQJ6oaRjs1m02q1jMpgMKhWq6l7Z0aRJMmBgQG9Xl9WVvb111+TJNnZ2blv3z6NRkPdBgkLhGxOB8dxm83GUI/v1l7k1ahSqWTcfbObMyrFPyuLrLZs59OhTx/bqGvXrtGvzmw2G99VMKfmwhrywdl5MBhkmCDmQU0M3sfQYR87YVz438EZDGMKSBHPyurr65VKpdFoRB+8UHi93sbGRqVSWV9fj2pEru2QdjEqBU59jIZ8qsYl4ccYgiBkMhn1MJEqIkejD1HsdrtOp2tpaSFJcmRkpLi4+PTp016v1+Vy1dbWlpaWUj2jh6EWi2Xjxo1UJaOIwHEcx3Ek73a7U1NTdTqdeAHhvfRnsm1tbXq9fnh42O12NzQ0WCwWkiRra2vLyspcLpfdbr///vvRQxjxZ4r6+vrCwkJ0udTe3t7a2spuznYv56BSa8twvsD0cRqF43hnZ6fP53M4HAaDQeAMxdY8gjGGZP12gS4mxj/iPSZet/nGGOFjR8B2OrEzg2FMgRiqq6udTiffXqfTWV1djbZFru2QdjHM4Tv1kayzpbCqcUb4MYYkyZaWFoVCgb7Go4roc8y33nqL8QFfIBBoaWlZt25dcnIyjuPV1dWTk5OMUZqamvbv30/1zygiqqqqysvLqWJBQQFDRlhAYC/D2GAw+Oqrr6rVarlcbjAYQn4NzOcletHv9zc2Nmq1WoVCUVJSgq6k+I4oyr1iBo24tgznC0wfp1EWi6WgoEAul2s0GqPRKHCGYmsewRjDbksXE+Mf8R4Tr9t8Y4yA8wVsZxA7MxjGFEQWkWs7pF0Mc9AG+9SHYJwt7x0WkSQZ2Ydvly9f3rhx4z///BNG2/Xr13/66acPPfQQZxGIJuB8IF6RaG0v5NQXx0T1nX9ILl68KFAEogk4H4hXYG1Hk1jMJRPfnDt3bvfu3QICt27d2rFjxx9//CGyQ0hOHiOwfySIiPKFbYyoAQCI2LqPuReoqamprKwUEEhKSkpOTm5qavrss89C9gbJyWMHvo+qo5wROUbUAIB/EX5dQ3+dJea9awQR+d7P5/O1tbVFQZ+FQCmJMs4yvnTy+/2VlZV0Y61WK/uHlpwcPHiwoaFhgerFk6sBAIgpYvdZ2erVq+np8/hAJ74o6LMQKCVRxll6ltbZ2dni4uJgMEiXV6lUBEGI6Tkif4ART64GACCmCBFjqOzZC0yjHR73QsbsheRmh+TkAADEOCFiTHZ2NkoOmp2d/csvv6DKb775RrgVJXDmzJlHH3106dKl2dnZTz311IULF1D93NycyWRavnx5SkrK008/PTU1hf5L7tChQ5mZmStWrPj444/p/y6Htt9+++3ly5enp6fv3Lnz5s2bGIbNzMzk5OQQBLFo0aIjR45wKsbXlj0ihmHXr19/4YUXMjMzV65c+eabb87NzVGSHR0dubm5KSkpzzzzzNTU1CuvvJKZmZmRkbFr167r16+LVPKrr75iqLd69erXX39d2J+cvsUwrKen54knnkhKSooRVwMAADAI51mZ+BzafLnEJUqazacY338NsEdcYDL8kEpu27YtDIdz+hYTl3g/yq4GAAD4P8J4hyMyh7ZALnExSbPpL6Kd4pJmcyrG15Y94gKT4YtRku/tOt/vwPl8S4pOvB9NVwMAADAI5z4mJSXFZDJdunQpEAhs2LABVW7YsCEQCIyPj5tMppSUFAzD0tPTy8vLCwsLX3755Y6Ojh9++AFJzszMTE9P5+fnM7pVKpXp6el8g8rl8pUrV6LtvLw8l8slUjGBtowRr127FggEcnNzKUl0wkWSaWlpaFur1aampi5ZsgQVs7KyqBfmYpQMA7ZvMQw7deqUXq9H+seOqwEAAOiE+V3Z2NgYShJHz6FtsVj27NkzNjZGiR09erS7uzs/Pz8QCBiNxr1791K7JEqazVYsDuD0LTs5ObgaAIBYI5wYs3v3bp1Op9FoHA6HyWRClSaTyeFw4Diu0+nov2N/4IEHdu7caTKZPvnkkxMnTmAYlpaWplKp5vvTdL/fPzExgbYdDseqVatEKiayLYZhOI4nJyf//vvvqDg6OpqTkxNxJcOA7du5ubmTJ08yvlqOBVcDAADQCSfGEARht9s7OjoyMjLo9RkZGe+++67dbke/7bhw4cKTTz753XffTU1NTUxMfPjhhzqdDkk2NjbW1dWdP3/+ypUre/fu/fHHH8WMazQar1y58uuvv7a0tJSWlqJKtVrt9/t/++03AcX42jJITEysrKxsbGycmJhAklVVVfNxTGglExISGD+F4SQYDFJ/GIVg+HZgYECj0VCP9WLK1QAAAP9Dulc9ArnExSTNZryIDjtpNl9bvn9tCTsZvhglu7u75XI5+yU5Y4hjx47l5+cL+FZ84v1ouhoAAIBB5HP7S8FCkmZHLeG2yIFefPFFu93+7bff8gnMzs7m5eW98cYbzz//PJ+MdIn3IT85AAARBHJiRhuz2Sz8j/SLFy/+/PPPH3nkEQEZSE4OAMBdQezmK4tXkpKSHnzwQWEZ4QADAABwtwAxBgAAAJCKu+N9DAAAAHA3AvcxAAAAgFRAjAEAAACkAmIMAAAAIBUQYwAAAACpgBgDAAAASAXEGAAAAEAqIMYAAAAAUgExBgAAAJAKiDEAAACAVECMAQAAAKQCYgwAAAAgFRBjAAAAAKmAGAMAAABIBcQYAAAAQCogxgAAAABS8R8X0q0kg/YvygAAAABJRU5ErkJggg==) --- **Screenshot:** ![comerto.com vulnerability](/twimages/screen-1163627.jpg) **Mirror:** [Click here to view the mirror](<http://1163627.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 17 May, 2020 12:44 GMT ---|--- Vulnerability Verified:| 17 May, 2020 12:52 GMT Website Operator Notified:| 17 May, 2020 12:52 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 17 May, 2020 12:52 GMT