Open Bug Bounty ID: OBB-1167109
Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:
      a. verified the vulnerability and confirmed its existence;
      b. notified the website operator about its existence.
Affected Website: |
rpw.ztm.lublin.eu |
Open Bug Bounty Program: |
Create your bounty program now. It’s open and free. |
Vulnerable Application: |
Custom Code |
Vulnerability Type: |
XSS (Cross Site Scripting) / CWE-79 |
CVSSv3 Score: |
6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] |
Disclosure Standard: |
Coordinated Disclosure based on ISO 29147 guidelines |
Discovered and Reported by: |
g0bl1nsec |
Remediation Guide: |
OWASP XSS Prevention Cheat Sheet |
Export Vulnerability Data: |
Bugzilla Vulnerability Data |
JIRA Vulnerability Data [ Configuration ] |
|
Mantis Vulnerability Data |
|
Splunk Vulnerability Data |
|
XML Vulnerability Data [ XSD ] |
|
Vulnerable URL:
![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAASVUlEQVR4nO2df0wT5xvATyhS4ED50YpQv4JZkBiDZGGEbbg5JEoIwYqIzDHFjKgjjDCizmnCGDPoEE3G1JiFJbot0z8IMYQYZhq2dIQ5RayMMWzQsVpr5wqCq1hr5b5/XHa53b3ve9eTlk6fz199j/d93ud53uf6cO9dn5vDMAwFAAAAAD4gaLYVAAAAAJ5ZIMcAAAAAvgJyDAAAAOArIMcAAAAAvgJyDAAAAOArIMcAAAAAviIgckxycvK1a9dwTWDGUeBhWBQAABQw+znml19+mZ6eXrFiBbIJzDgKPAyLAgCAMiRyzB9//BEZGYn80+Tk5MGDB3FN+XR0dBQWFuKafkCx5iwEF0n24R+XI2dGIHsYqYb/F4WP3zwj4P333w8LCzt9+rRPZ5F/iimQdu/evW3btmk0msTExA8++ODx48fKxEqqShgSHR2tYK5ZlEyedFZC8T+N8uuYiYmJxsZGXFM+s55jFGs+syxevNjhcPhhIgUent0cMyuMjY21tLRcvHixrKxstnR4+sgsLy93u90mk6m7u7u3t7euru5pxPotRIFniVneK7tz547ZbF61ahWy+bwRGhrq6ykUePj5XBSn0xkeHr5ixYrg4ODZ1kUhDx8+7O/v/+KLLxITE5cuXXr06NG2tranlOmHEAWeMWTlmM8++yw5OTk2Nvbtt9+enJykKGpycjIpKcnpdM6ZM+f06dP85tGjRyMjIw8fPrxgwYLo6OitW7c+fPgQJ7mjo2PNmjUhISGCJntNevDgQY1Gs3Dhwi+//JI9Iha7fv36w4cPs8OvXbsWGhrKakhR1I4dO3bv3s2fbs6/ERvCznLkyJHk5OSIiIhNmzaNjY3t3r1bo9HExsZu27btwYMHBEcJLqUFl/OffvopwSfifTNWjejo6Lfeeoszis+jR4/eeeedyMjIxYsXf/TRR0+ePJHUQeBhOcvEXyOyt3Nzc9euXcsN3L9//9atWymKunz58sqVKyMjIxMTEzds2PDbb78h14KsOcuvv/4aGxv7448/ss3Lly+//PLLYWFhGo1m48aNt2/fJnsP6TExY2Nj4qjgRyNuarFdx48fR/pEgOQppiAyw8LCbt26FRERwTZHRkYSEhIEYn///feIiIirV6+yVkdHR3///fdIn1CyQ/T27dtr166NjIxcunTpt99+yw1HOh+nALIzTjIywHBCCDEjWOInT558+OGHCxYsiIiI2Lhx49jYGG6xAALSOcbpdJpMpt7e3kuXLtlstr1791IUNW/evOHhYZqmXS5XWVkZv7l+/Xqn03np0qW+vr6+vr7+/v6mpiaccMJGmdPpHB4eHhwcPHXqVHZ2NntELLagoMBgMLBDOjs7p6enu7q62KbBYMjPz+dP5/qHPXv2lJaWig3h7O3p6TGZTDabLTU11eFwDAwMXLx4cXR0dN++fV54999u7PsHsk+4/gMDA6zbLRYLct6GhoapqamBgYGuri6j0Xjy5ElJNQQelrNM/CFkb+/YscNoNP7999/cwKKiInZUeXm5xWLp6enJzs5Wq9UUai0kmZycLCoqOnTo0MqVK9kj/f3927dvt9vtg4ODOp2uqqqKMw3pPZkei42NFUeFIBpxUwvs0uv1SJ/wkXOKUU8XmdevX9+1a1dzc7NAbHJy8r59+2pqaiiKqqury8/Pf+ONN+SsBcHJVVVVUVFRQ0ND58+f52cCpPNxCiA74yQjAwwnhBAzgiVuamoyGAwGg8FsNickJAwNDeEWCyDBEBkdHaUo6v79+2yzt7d3yZIl3J9omub3ZJvsEIvFwh5vb2/PyMhgP1sslqSkJG6I0+mkaXp8fFzcZIVwfyKItdls4eHhLpeLYZjMzMza2trNmzez/aOiotxut9iowcHB//3vfw6HQ2wIO8vExATb7OnpCQoKmpqa4sx/4YUXxC7iDxf4ZP78+QTlcWMFbu/p6eHczicuLs7pdLKfTSZTZmYmQQekh8kqMaI1kvR2VlZWW1sbJ8flco2Pj6tUKnaIGP5aELzHHs/Pz6+srETKYRhmZGQkPj6e7D2kx5CIl4MfjbipkXaJfSKYSM4pJjMyBT5ksVqtS5YsOXv2rFgswzButzs1NbW+vj4uLs5ut+NsROojdrLH41Gr1fy44sIP53ykAuLOOMmEAJNcbkHMCJZYq9X29/cLPIBbLACHSjIJ0TTNXSAnJCSMj49LDlGr1YsWLWI/p6amWiwWbnhvby/X7cKFC5mZmdx+iKBJ07RgqwQpduHChSkpKb29vcuWLbPZbHV1dSkpKU+ePDEYDLm5udwuHJ/t27e3tLTExsbi7J03bx77WafTRUVFhYWFcforvueJ8wkOvtt1Op3Y7ffu3XM4HElJSWxzenpapZJYTYGH5agkGCLpbb1e39nZuWHDhs7Ozvz8/NDQ0NDQ0OLi4qysrJycnISEhIyMjNdff52TT14LPvv37+/q6mptbeUfvHr16p49e4aGhtxu9/T09PT0NHsc6T2CxzQaDSfzr7/+Es8ujkbc1GK7xD4RC5dziimOzOLi4pqamk2bNiH/GhIScuzYsdzc3JaWlgULFuCEIPURO/nu3bsURfHjiv1AcL5YAWRnnOTo6GhkgOFmJMQMf4knJyfHx8fT0tIIVsv8PnzOkc4xM0hwcPDChQu55kw9UZafn28wGG7evFlQUDBv3rz09HSj0SjeKGM5fvz4kiVL1q1bp2CigMLlcgUFBfX19XHnalCQxM7njDxRRvZ2UVERu8/Q2dlZXl7ODjlz5syVK1cGBwdtNlttbe0rr7zy+eefU96sxdTUVHt7+9mzZ6uqqoqKirivWr1eX1FRcfLkSbVabbVa8/LyCEIIHjOZTN54RWJqgV1In/iNO3fuDAwM/PTTT4Q+drs9KCjIbrf7Tg1yuAoU8Da2kQGGE+JVzPx3n/gIIMiXOYSNF5l7ZefOneP2yvh4PJ64uLibN28im+JLfoLY3t7ezMzMwsLC8+fPMwxz4sSJ6urq+Ph4m80mmNRqtaampgquiOVsdiGb4iH3798PCgribyAg98o45Ql7ZQQ1OGiaFlzLE3QQe1hSJcEQFklvL1++3GAwzJ8/n9OBj8lk0ul0DGotCN5TqVRDQ0MMwxQUFFRVVbEd7t69q1Kp+JIFe2ti7yE9hoSwHISpkXaRfSLzFJMZmWJVPR6PYAUFfSYmJuLj48+ePRsTE8M6GYccfQQ7WufOnZN0PlIBcWeCZD5cgCGFyIwZFq1WazKZcB5g8CcmwEd5jnE6nSqVymw2C5rsl1dxcbHVah0cHExPT6+vr+ckcNumRqNx+fLl3HFBE5djcGK1Wq1Wq2WFW63WqKio9PR0wYwMwxQVFbW1tXF3ZcWGyM8x3PD79++rVKrh4WGPx8MwTGZmZkVFhd1uN5vN2dnZ/BwjVp4/VuYXCt+cnTt3ZmVlsf++NTU1NTQ0sMeROog9LKmSYIgcbzMMU1dXl5aWVlBQwDaHhoby8vK6u7sdDofFYqmoqGD/hFwLnPc4bwwPD6vV6oGBAU6TEydOTExMmM1mvV4vmWNwHhNDzjG4qXF2CXzCX0eZp5jMyBREo2AusViGYSorK0tKShiGOXDgwKpVq3AOIfuEr49er+fHlaTzkQogOyMl4wIMJ0ROzLA0NjZmZmYODAxYrdaqqiqj0Qg5RgHKcwzDMPX19eHh4adOneI3jxw5QtP0oUOHtFrt/Pnzt2zZwt2Z5EvbtWvXvn37OFGCJjLH4MQyDLN58+bi4mKumZGRwUoTyMFdw3GGKPtvce/evZwfRkZGcnJyaJpetmxZS0sLv39TU5NYeW6szGcH+MddLldNTY1OpwsPD8/Pz+f+XUXqgPQw0p+cSoIhkt5mYfeduKhwu9319fUpKSlz587VarVlZWXsfV3kWhC8x8mvrq5+7bXX2M9GozEjI0OtVsfHx9fW1krmGJzHxEjmGOTUOLsEPpF/geJtZDL/jkZxT4HYvr4+mqbZiwOXy5WUlPTVV18p8Al/FqvVumbNGpqmU1JSmpubyc7HKYDsjJSMCzCcEDkxw+LxePbs2RMXF6dWq/V6vcPhgByjAIkcowDkaolJSUm5ePEirqlYLIBD4GE5/pRcFCROp1OtVhOewnoOAZ8Azy1+vefP5/r164QmMOMo8LCyRblw4UJ2drb/a0kFMuAT4LlF4kmkW7duaTQajUbzySef+EchMevWrdNoNOyTOb4DatfPCJOTk8eOHSspKZltRYRcu3bt3Xffxf318ePHb7755p9//ilTmlfRErA+waHBwP2SFADkI3EdMz09PTU1ZTabo6Ki/KOQmNbW1ps3b+bk5Eg+m6sYqF0/U2i12oKCgi1btsy2IkLKy8sJ1QRCQkLmzp27a9eur7/+WlKUt9ESsD7BgXuSG0oOA0ogb6XN4l0QwnPSyM5Po+eBAwe4J2IVI1MHtuqtHDn+v6M4UyYEAnwlHQ5HUFAQ//Eql8tVWlrKN7a/v1/wW30cARUtABDgzP47ygKBGaldL7PyeYC8SgDJM2ACB19Jtogy9wP7R48e5eXleTwefv+YmBin0ylHMkQLAMjnGckxKpUqJSVF2dgZrF0/I5XPOVuexijFPA/F2+12e25ubnNzs4KxgRYtABDgeJdjxDW05ZTWf/DgwY4dOzQazaJFiz7++GN+CXpBMW1c7W5JEhMTr1y5wn7+7rvvJPvz+/Br1+OKhIurfOPePsD2x1XOF1RWR6rK2ZKYmPjzzz/LNIrr4GcTkLrhxiIXnRAekqXs5SvJZ/Hixfv37yf7E+lbalajBelqAAhwvMsx4hrackrrV1dX22y2/v7+rq6ujo6OEydOsB3ExbRxtbv5iB93EXQoLy9fvXo1l3IEXL58efXq1fyyUYLa9cgi4bgq3wL9+SAr5wsqq5NVlWmUwCI/m4DTDffiAPGMhPCQU8peppLKCKhowbkaAAIa8u0a/p1JZA1tyWLvHo+HpmnuB9UdHR1ZWVkMqpg2oSo4Xw2rCIHOTqezsbExJiampKSEK5jBMIzZbC4pKYmJiWlsbOQqfvNr1xOKhOOqfAvePiCofI58wQG/G05VMcieYov8bwJSN9xY5KITwkNOKXs5SiJvsIt/s81vBmC0IF0NAAGOd8+VlZaWpqen19bWNjc3//DDD+zB9PT07u5uu92u0+kmJia0Wq3H42ltbS0qKmIYxmazzZ07l5NgNpu5FzYITnubzaZWq7nm0NCQ/OfKxIyPj+v1en79O5VKpdfrua8tlvb29pycHLKBExMTKpWKXwAKqZLgW0Ngi1arxQ0UqyrTKKRFs2KCQDfcWOSiywkPQlEfOUoqyDEBGy2MNwEDALOOd3tlZ86caW1tTUtLc7vdtbW17733HvVPsffOzk45pfWfHsm9Moqibty4wdawa2ho4A42NDQYjcbKysobN25wBwXPCCENZPFRlW+kqjJ7Ii3yvwlI3f7rBGa0UM+iq4FnHHIKIlxAcDW0ycXeCZsh4iLkuNrdXu2V7dy5k6bp2tpa7k2XHA6Ho6amhqbpnTt3Mpja9WIDGRlVvhni7gf/TQT8bgRVZRolsMj/JiB1w41FLrqc8CBcx8hRUsF1DBN40cJ4EzAAECB4kWMINbTJxd4rKioKCwstFsvg4OCLL77Y0tLCYE57XFVwr/bKysrKRkdHyUaVlZUxonL3BAMlq3wzqG8N5JsI+JXVJVWVaRRnkf9NQOqGG4tcRznhQc4xkkpaLBb+ZpTYWIZhRkZGkL94DZxoQboaAAIcL3IMoYY2udi70+ncvn17XFycTqerr69nt6qRXze4quA+KjcgqF1PMFCyyjeD+scZ9yYCwTsRZpAAMQE3FrmOcsKDkGPkKOlyudRqteAmuWCKtra2tLQ0gm+fvWgBAD8gnWMoioqLiyO8zcnXFBYWxsTE+CLHKKtdLwcfJUV/8jQm+M18+RNVV1fzb9cLYN9c0traSpAA0QIACpCoianT6axWK0VRs1sT0+12+6IgJrxQ4PmhubkZV+qRoqjQ0NBvvvnm1VdfJUiAaAEABUjkmODg4MTERP+oggP55BgAeEVISMhLL71E6EBOMAAAKOMZqVcGAAAABCBzGNEbyAEAAABgRoDrGAAAAMBXQI4BAAAAfAXkGAAAAMBXQI4BAAAAfAXkGAAAAMBXQI4BAAAAfAXkGAAAAMBXQI4BAAAAfAXkGAAAAMBXQI4BAAAAfAXkGAAAAMBXQI4BAAAAfAXkGAAAAMBXQI4BAAAAfAXkGAAAAMBX/B/bDx3RK0BibwAAAABJRU5ErkJggg==)
Screenshot: ![rpw.ztm.lublin.eu vulnerability](/twimages/screen-1167109.jpg)
Mirror: Click here to view the mirror
Coordinated Disclosure Timeline
Vulnerability Reported: |
20 May, 2020 19:33 GMT |
Vulnerability Verified: |
20 May, 2020 19:40 GMT |
Website Operator Notified: |
20 May, 2020 19:40 GMT |
a. Using the ISO 29147 guidelines |
![](/images/done.png) |
— |
— |
b. Using publicly available security contacts |
![](/images/done.png) |
c. Using Open Bug Bounty notification framework |
![](/images/done.png) |
d. Using security contacts provided by the researcher |
![](/images/done.png) |
Public Report Published |
|
[without any technical details]: |
20 May, 2020 19:40 GMT |
Vulnerability Fixed: |
23 June, 2020 15:44 GMT |
— |
— |