logo
DATABASE RESOURCES PRICING ABOUT US

en.pwa.co.th Cross Site Scripting vulnerability

Description

Open Bug Bounty ID: OBB-1163985 Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[en.pwa.co.th](<http://en.pwa.co.th>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[XSS (Cross Site Scripting)](<https://www.owasp.org/index.php/Cross-site_Scripting_\(XSS\)>)** / CWE-79 CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **g0bl1nsec ** Remediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAHmklEQVR4nO3cbUhT7xsH8FudaHmWrTbdfCAnYiFhIrJmmIlImIyRlBBmFBQaUiJCUhJlBQlKURDmiwrtTW8yYkRIDAqTEWprPpuG6NQZkqvVqim683tx+B8OOw9qf1crv59Xu7Zz7n3va+DFbq0gmqYJAACAHwT/6QAAAPDPwowBAAB/wYwBAAB/wYwBAAB/wYwBAAB/wYwBAAB/CYgZo9Vqe3p6xMr1KQCbEICRACDA/fkZ09fX5/V6d+3aJViuTwHYhACMBACBb5kZMzExIZfLBV9yuVx1dXVi5cqZTCaj0ShW/jPY/ki0lPX7m7Bsqn/1cwEAv/r17zFfvny5fv26WLly62TGrKo/AdiEAIwEAIHvD5+VzczMjIyM5OTkCJbrUwA2IQAjAcBfYUUz5vbt21qtduvWrceOHXO5XIQQl8uVkJDgdruDgoJaWlq45c2bN+VyeUNDQ3R0tEKhOH78+M+fP8VWNplM+/fvDw0N5Zfz8/MnT56Uy+Xbtm27fPny0tIS+d+Rzo0bN7RarUKhOHr0KJOHi7mGH6CwsLChoYG5pqenJywsjL23rKzs3LlzXV1dmZmZGzZsUKlURUVF09PT/MBLS0sXLlyIjo6OiIgoKiqam5sjhHz//r2srEylUsXHx1+5coWJysXtT2trq2BLBXvS1dW1d+9euVweGxt76NChoaEhsc4wF/PzM92oq6tTqVQajeb+/ftiu5BI5fMxAQCs0PIzxu1222w2i8XS2dnpcDjOnz9PCImMjBweHqYoyuPxlJSUcMvCwkK3293Z2dnd3d3d3W21Wuvr68UWlzgou3r16o8fP3p7e9va2trb25uamtg8vb29TB673V5TUyOYmR/AYDCYzWbmgmfPnnm93ra2NqY0m80FBQVWq7W0tPTjx4/9/f1xcXFnzpzhr1xfX282m81m88jISExMzODgICGkoqLC4XBYrda2tjaTydTY2OhzF78//JYKNsFgMJw4ccJut3d0dGRlZYWHh0t0Riy/2+0eHh7u7+9vbm7OysoS24VEKhyUAcAvoiWNj48TQr5+/cqUFoslMTGRfYmiKO6VTMncYrfbmeefPHmSkZHBPLbb7QkJCewtbreboiin0ylYKpVKt9vNPLbZbDqdjp+no6ODzeOTmR/A4XBs3LjR4/HQNK3T6aqqqoqLi5nrN23atLCwwF3kw4cParWa35CoqCir1cp9ZnFxkaKosbExpjSZTHq9XrCT3P4IttSnCU6nUyaTMYG5BDvjg83PvB3bVbFdSKTy+VwAAFZOtuwQoiiK/YujmJgYp9O57C3h4eHx8fHM4x07dtjtdvZ2i8XCXvbixQudTqdQKPjl58+fP336lJCQwLzk9XplMhk/T1xcnGAewQAajSY5OdlisaSkpDgcjkuXLiUnJy8tLZnN5ry8vNDQ0Hfv3lVXVw8ODi4sLHi9Xq/X67Osy+VyOp2pqancJ2dnZxcWFrRaLft2zM9rCRIt5TZBoVAcPnxYr9fn5ubGxMRkZGTs27dPojNi+SmKYpsstguJVD4fEwDAyi0/Y9ZQSEiIRqNhS4mDMo/HExwc3N3dzf4ADQ5egz9PKCgoMJvNY2NjBoMhMjIyLS2tvb2dOSgjhBw8ePDUqVNNTU3h4eFTU1P5+fliu/j/k4jx6cmjR4/evn3b39/vcDiqqqr27NlTU1Mj1pkV5l/tLnBQBgC/TvprDv9AbPPmzWIvCZ6VPX36lD0r41pcXFQqlewRk09J0zRFUT7nOdJ5uE+KBbBYLDqdzmg0Pn/+nKbpxsbGiooKtVrtcDhmZ2dlMhm7iM1m469M03RUVJTNZvPZyGrPysS2wG8Cl81mi4uLE+uMWH6ftxPbhVgq6UgAANJ+/cuBUqn0eDyjo6OCZVVV1fT09MDAQG1trcFgYO+an59nHlgsFrVazR4x+ZSEkJKSkvLy8oGBgZmZmYaGhmvXrknnYVeWCJCZmTk+Pv7mzZvc3FxCiNFobG5uVqvVGo1GpVJt2bLl7t27LpdrdHS0trZWcOXKysrS0tK+vr7p6emzZ8++fv06JCTkyJEjlZWVk5OTzNsVFxfzb/TpjyCfJgwNDR04cODly5dzc3OTk5N37txJS0sT64xEfj7+LlYYCQBgVX59xkRERFy8eDEtLa2lpYVbtra2UhSVkZGRnp6elZWVmppaXV3N3DIxMaFUKpnHy/7Ty1u3bun1+vz8/KSkpFevXpWUlEiE4a5MCBELQAjJy8vLzs4OCwsjhMTGxiYnJzMHZYSQx48fP3jwQK1WZ2dnJyYmCq5cXV2dk5OTm5ublJQ0NTWVkpLCRFWr1enp6fn5+Uajsby8nH8jtz9iu/BpQlJSkl6vP336NPPLGI/Hc+/ePYnOCOYXJLiLlUQCAFiVIJqm13bFiYmJnTt3fvv2Tfqy7du3P3z4cPfu3YLlbwgQgNawCWslACMBwF/kt/7On+v9+/cS5foUgE0IwEgA8Bf58//vMgAA/KswYwAAwF/W/vcxAAAADHyPAQAAf8GMAQAAf8GMAQAAf8GMAQAAf8GMAQAAf8GMAQAAf8GMAQAAf8GMAQAAf8GMAQAAf8GMAQAAf/kPA66yM1qtwk0AAAAASUVORK5CYII=) --- HTTP POST data: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAKFElEQVR4nO2cf0hT3xvHb3bVoXfmj3k1NLSI9Y/YCBMhC5FQGSJmZiqiVpImNkQ0SqFMYkpaf4T1R6wokPIPExGRiiGxQvphMc3Mho451jLQMWPatNn5/nH4XMbu3fX6Y1P7Pq+/7jn3Oec+7+c+3ufec4Y7EEIEAAAAAHgAn812AAAAAPhngRoDAAAAeAqoMQAAAICngBoDAAAAeAqoMQAAAICngBoDAAAAeAqoMW7Zu3fv8PDwZnsBeITh4eELFy7wGPz586egoODnz58CJ4RsAQBOoMZw8/nz579//x48eHCzHQE8QmlpaWxsLI+Br6+vn59fbW2tkNkgWwDAHSvUmKmpKbFY7B1XVsXU1FRISAi/wXo87+3tzcrKWvNw4T7Mzc01NzcLmWRFyZ5AYBhXVLEVYJycnZ0dGRmprq52Pru4uFhQUOAstrq6Wq1WC5nZa9lCbJNQAwADfMdwsyFPjZiYmJmZGX4bq9WqVCrXeSHPIUQCseVVYBgnbTZbQECAv78/c2pxcTEjI8PhcDjbh4aG2mw2ITN7LVuIbRJqAGD4Z2sMSZJSqXRtY3/8+KHT6VJSUtbvhvODbG0wQtajaD2sX8LWZ3p6+vjx421tbWsYu6WyBQC2GquoMV++fAkLC3v9+jVuLi4unjt3TiwWx8TEXLt2bXl5+e7du+np6Yx9Q0NDSUnJiRMnWltbcc/w8LC/v//c3BxulpeX19XVzc/Pl5eXh4eH79mz5/r168vLy8R/6wbNzc3h4eG7d+9+8OABQRDfv39PT08Xi8UHDhx48uQJv7dRUVEfP37Exy9evOA3djHo7e1NS0vz9fUlCOLDhw9Hjx4Vi8VRUVEnT578+vUrQRDLy8tXrlyJiIgIDAw8derU7Owsp8/Oy1xisbi1tTUiIiIkJKSkpOT3798EQczNzcXGxtpsth07djx+/JjTVUZIVFTUu3fv3PnMI4pTAqcKHgnCVXA65m4s541mpwQ2u3Xr1t69ewMDA0+fPj07O1tXVxceHh4WFnbmzJn5+XnhTj579szFvZiYmIaGBv54csaWEJAtXg41AGwtEC8Gg4GiKISQ1WqVSqX3799nTtXX1+fn5+v1+rGxsZSUlPb2dpPJJBKJfv36hQ3i4uJ6enpUKlVaWhruuXHjBkmSnZ2duLlv376BgYGzZ89mZmYajcbR0dFDhw7duXMHX5cgiOLi4unp6efPn4+PjyOEsrOzc3NzjUbjxMREXFxccHAwnkfCwkVFZGRkamrq0NAQW+D79+9TU1MjIyOdO+VyeUdHBz6maVqlUlksFr1ef/v2bb1ejxBSKpUJCQkjIyMmk0mhUGg0Gk6fmejhU87ONzY24vnHx8cpirLb7Q6Hg9/VNYvilMCpgkeCcBWcjrkby3mj2SmBzYqKikwmk06nS05OlkgkpaWlZrMZf0MoFArhTur1ekaUi5PO/S5NztgiAdni5VADwJZCaI2Ry+WVlZXOpyQSic1mw8darTYxMREhlJSU1NXVxQy02+1mszkgIMButyOEEhMTa2pqCgsLsUFQUJDdbqcoivlT7O3tTUpKQv/9jVksFuZyDodDJBIZjUbc7O7uZmqMiYWLCpvNplQqQ0ND8/LydDod7tTpdHl5eaGhoUqlkhGCjSmKwpe2WCwkSWLnnaFp+tOnT+xYufjsUmOcnU9ISHCx4XGVE4Gi3EngVMEjQbgKTsfcjeW80eyUwGZWqxV3vnnzxsfHZ2FhATcHBwf3798v3EnO4sHud2lyJoyQbPFyqAFgSyGoxtTX1/v4+Dx8+JDpt1gsBEEw3w2hoaE0TSOEWlpaSktLEULt7e15eXnYWCaTDQwMTE9PR0dHW61WmqYdDodKpcrJyTGbzX5+fsy0Op0OvyGynwJms1kkEjHNsbExpsYIxGKxZGdnkySJmyRJZmdnM48thu7u7tTUVKaZn58vk8lqamra2tpevXqFELJarSRJ4s8Odqw4ewwGg4vzOFyco9iurlMUW4I7FTwSVqvCxTF3YzlvNDsl2E9/57vv3BTi5NpqDGdsV8wW5PVQA8CWYuX9mIWFhe7u7s7OzsuXLzNbKXa73cfHZ2hoSKvVarXakZERrVZLEEROTk5/fz9BEH19fTk5OdhYLper1eq+vr7MzMxdu3bJZDKNRqNWq+Vy+WpW9dwSzoJtMzk5WVVVpdFompqacE9TU5NGo6msrJycnHS2dPmN0NOnT1UqVXx8/NLSUk1NzcWLF3H/zp07N8R5Ia4Kt+QU5U4C4TEVwiVsIzhjKzBbCAg18H8LfwkyGAwkSY6NjSGEMjMzq6qqmFMURbHXixBCcXFxarU6ODiY2ZgZHBxMTEzMysrq7+9HCN27d0+hUERGRprNZs6FEcT1suayVtbT0yN8rayiooKiqJqampmZGef+mZmZ6upqiqIqKiqYq0gkEsYfF7RabXR0NEKIpmmtVsuOFc93DOG09NHT0+Nurcydq2yEi+KUwKlixZdrISo4HXM3lvNGc66VCf+OWdHJtX3HIFZsBWYL8m6oAWBLIXQ/BiE0Pj4uEolGRkZws6KiIikpaXR01Gw237x5s6mpCfdfvXo1Pj4+MzPTeR6apmmaxkvVJpMpKChIJpPhU2VlZVlZWew9f/ZTAO/5m0ym0dFRmUwmfK2sqKjIYDDwaCwqKsLHGo0mLi6OOTU2NpaRkTEwMDAzM2M0GsvKyrAupVKZmJiIt3DxWySnz+w9f8Z5ZgvXZrORJMkspvO7ugZR7iRwqhDy4FtRBadj7sZy3mh2Sqy2xvA7aTQanVeiOMUihCYmJjhzjImtwGzxcqgBYEuxihqDEFIoFMeOHcPHdru9uro6Ojo6ICBALpczb3N40ezRo0fO8xQWFubm5jLNhISE+vp6fGyz2c6fPy+RSKKjoxsbG/GyNeejx2QypaWlURQllUrb2tpWux8jhNraWsYxhNDS0lJjY6NUKvXz86NpuqioaHp6GiHkcDguXbokkUhEIlF2djZ+i+SvMRRFtbS00DQdHBxcXFzM7FcjhBobGwMCAlwitlG4k8CpYsUH35pVuBvLeaPZKbGqGrOikyqVSiQSsTfJXa7S1dUVHx/PE1uB2YK8G2oA2FKsUGPWgM1mE4lEzj+Y2UZIpdK3b99u+LTuFme2F+tR4bUICLyQQqFw3qtnY7fbY2NjVSoVj42HsgX9KwkDAAghcsM3eF6+fJmcnOz9/6y1IXz79m2zXQC8QVtbG/7gdoe/v39HR8eRI0d4bCBbAGBFNvh/yczNzeFfLW/stACwsfj6+h4+fJjfhr/AAAAghA2uMczy8cZOCwAAAGxHdiCENtsHAAAA4N/kn/2/ywAAAMCmAzUGAAAA8BRQYwAAAABPATUGAAAA8BRQYwAAAABPATUGAAAA8BRQYwAAAABPATUGAAAA8BRQYwAAAABPATUGAAAA8BT/AzQC8NoLDL8qAAAAAElFTkSuQmCC) --- **Screenshot:** ![en.pwa.co.th vulnerability](/twimages/screen-1163985.jpg) **Mirror:** [Click here to view the mirror](<http://1163985.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 17 May, 2020 16:32 GMT ---|--- Vulnerability Verified:| 17 May, 2020 16:42 GMT Website Operator Notified:| 17 May, 2020 16:42 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 17 May, 2020 16:42 GMT