Open Bug Bounty ID: OBB-1167286
Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:
      a. verified the vulnerability and confirmed its existence;
      b. notified the website operator about its existence.
Affected Website: |
love-hotel.jp |
Open Bug Bounty Program: |
Create your bounty program now. It’s open and free. |
Vulnerable Application: |
Custom Code |
Vulnerability Type: |
XSS (Cross Site Scripting) / CWE-79 |
CVSSv3 Score: |
6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] |
Disclosure Standard: |
Coordinated Disclosure based on ISO 29147 guidelines |
Discovered and Reported by: |
g0bl1nsec |
Remediation Guide: |
OWASP XSS Prevention Cheat Sheet |
Export Vulnerability Data: |
Bugzilla Vulnerability Data |
JIRA Vulnerability Data [ Configuration ] |
|
Mantis Vulnerability Data |
|
Splunk Vulnerability Data |
|
XML Vulnerability Data [ XSD ] |
|
Vulnerable URL:
![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAGgElEQVR4nO3cb0gTfxwH8PNPauOuXM2VOnPrQfUgKEjMoigiIodIUZjESiEwCAqRHlgPahX9ISmIRHoQkT7p2RhHD6QnQcQerCVXKf4JKjfaomy1utZpzvs9uLrfcf8899s5f+39eiD30e99Pvf5DvZhd8M8nucJAAAAE+Rn+wIAAOCvhRkDAABmwYwBAACzYMYAAIBZMGMAAMAsmDEAAGCWBTFjXC7XixcvtMJck8H2c3wnASDrsj9jXr16NTMzs2HDBtUw12Sw/RzfSQBYCGaZMePj4xRFqf4pkUhcvXpVKzSOpunGxkZZqFM3I9LIb6RBnbQGK4q7IV1v5Fzl5ck2FgBg/qX/Oebr169XrlzRCo1TnTFpX5V50m5QUF1dPTExMesy1faNnKu8vAW7kwCQO7J8rywWi42Nje3cuVM1/MsUFxfrL9Bpf9ZzjacCAJg3hmbMrVu3XC7X8uXLjxw5kkgkCIJIJBJOp5Nl2by8vN7eXml48+ZNiqK6urpWrFhhtVpbWlp+/vyplZmm6T179ixatEg1FP348eP48eNlZWVVVVUXLlxIpVIEQRw6dOjy5cvimi1btvT29k5OTh47doyiqOrq6vPnzwsrjfelVU7WL0EQcypE/LnfJfzU2hyt9qX3yp49e7Z9+3aKoiorKw8cODA8PEwoXg6dVAAA82n2GcOyLMMwgUAgGAxGo9HOzk6CIJYuXToyMkKSJMdxHo9HGu7fv59l2WAwGAqFQqHQwMDA9evXtZIbvFF26tSpaDQ6MDDQ399P03RPTw9BEE1NTX6/X1gQi8UYhtm3b9/FixeTyeTLly/7+/ufPHly586dOfWlVU7WL0EQxgsp62ptjpG7Ww0NDa2treFw+OnTp9u2bSspKSEUL4fBVAAApuN1vXv3jiCIb9++CWEgEFi9erX4J5IkpSuFUDglHA4Lv/f5fDU1NcJxOBx2Op3iKSzLkiQZj8eVoTT59PQ0SZJv3rwRQpqm6+rqeJ5PJpNLliwRCvX09DQ2NvI8b7PZWJYVVjIMU1tbO9e+tMrJ+lUtJFsjq0iSpM7myHZDmko8jsfjhYWFHMdp5VdNBQCQLYWzDiGSJMUbNRUVFfF4fNZTSkpKqqqqhON169aFw2Hx9EAgIC579OhRbW2t1WpVDUUfP36cmppyuVxiQuGdevHixW632+/3nzx50ufztba2fvnyZWJiwul0CitnZmYKC383WFZWJib89OmTTl9a5aR0CqW9OVrtS1mt1oMHD9bV1e3atauioqKmpmbHjh3KZUZSAQDMA6PvjBlRUFBQXl4uhv/9G2VNTU3d3d0ejycYDPp8PpZl8/PzQ6GQ+I6fn//7ZiDDMP/58v/FcZxWobQZbP/BgwfPnz8fHByMRqMdHR1bt269fft2eqkAAMxmyvfKOI6LRCLC8djY2KpVq5RrUqnUw4cPxbdCWShlt9uLiorevn0rhCMjI+IHCLfbzTBMX1/f7t27KYoqLy+3WCzxeLzyD3GkVUroX7xOOZFOoVmpbo5O+0qbNm1qaWk5c+bMvXv3xCdSojmlAgAwVfozxmazcRz3+vVr1bCjo+P9+/dDQ0Ner7ehoUE8a3JyUjgIBAIrV64Ub0nJwmXLlnEcNzo6mkqlCgoKmpub29vbI5GIkPDw4cPCsuLi4r179547d665uVn4jcfjOXHixNDQUCwW6+rqunTp0lz70iona1C1kPSypc3KKDdH1r4ylWB4eLi+vv7x48efP3+ORCLd3d0bN26U7b8yFQBA1ug/rlE+2C8tLRVDr9drsVju378vDW/cuEGS5LVr1+x2e2lp6dGjR5PJpDLb6dOnz549K6aShTzPd3Z2islZlm1ra7PZbA6Hw+v1Tk9Pi8v8fj9JkmIJjuPa29sdDofFYnG73eKj+zn1pVVO2q9WIfGyVb8TIfxUbo6yfdVUU1NTXq93zZo1RUVFdrvd4/F8+PBB9nLU19crUwEAZEUez/OZHVrj4+Pr16///v27/rK1a9f29fVt3rxZNfz7CNsyODioujkZbP+v30kA+B+Z12f+UqOjozphrslg+zm+kwCwoGT//y7ngl+/fgUCAYfDke0LAQCYV1n7HJNT2traaJq+e/duti8EAGBeZf55DAAAgAD3ygAAwCyYMQAAYBbMGAAAMAtmDAAAmAUzBgAAzIIZAwAAZsGMAQAAs2DGAACAWTBjAADALJgxAABgln8Aouf5OuNuWsYAAAAASUVORK5CYII=)
HTTP POST data:
![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAIrUlEQVR4nO3cb0gTYRgA8HOdOvQEnds0NFSIfRomYSJkIRIlIiJmpjB0lZSJjSEWpVDLD1PK+hD2JSwKhPogIhJRIREroj8Wc9myoWOOYQZzbHHatK23Dy8cY7fdrm2X/57fp91773vv85wv9+zuhgkIIQIAAAAQgGi9AwAAALBlQY0BAAAgFKgxAAAAhAI1BgAAgFCgxgAAABAK1BgAAABC2cQ1pqCgYGpqar2jAIKYmpo6e/YsR4ffv383NTX9+PGD5wFhtQCwLjZrjfn8+fOfP3/27Nmz3oEAQajV6vz8fI4OiYmJSUlJXV1dfI4GqwWA9RKhxszPz6elpcV91tgPOz4+XlNT8x9i8Hg8fX19fI4zPz+fkZERS0hR4JNFxBQ2gsAgl5aWTCaTVqtl9q6urjY1NQVlqtVqJyYm+Bw89tVCbKFTDcD/tFnvY2K/auTl5Tmdzojd3G63Xq+PZSJB8clig6eABQZJ03RKSkpycjLeXF1drays9Pl8QUMkEglN03wOHpcas2VONQD/0/rUGJIkFQpF1MO/f/9usVjKy8tjDIO5isWCySXGpKIWlyw2ssXFxUOHDg0MDEQ3PF6rhdgGpxqAuPuHGvPly5fMzMxXr17hzdXV1VOnTqWlpeXl5V25csXv99++ffvIkSNM/56enpaWlpCHysnJ+fjxI7P57Nkz7qmDOoyPjx8+fDgxMZEgiA8fPhw4cCAtLS0nJ+fo0aNfv34lCMLv91+6dCkrKys1NfXYsWNLS0v4QUdfX59MJtu5c+fdu3cDH33gz9evX8/KysrIyGhpafn16xdBEB6PJz8/n6bphISEBw8ehAyVySUnJ+fdu3c8MwrswzMFJs6QWcSSQrix7OkIglheXj5z5oxMJtu1a9fVq1f9fj/T88aNGwUFBampqcePH19aWjp//rxMJsvMzDxx4sTy8vI/BRkoLy+vp6cn4vlkn1gsitUi3KkGYNtBnGw2G0VRCCG3261QKO7cucPs6u7ubmxstFqtZrO5vLx8cHDQ4XCIxeKfP3/iDkqlcmxsDCEkZQmaJTs7u6KiYnJykh3A+/fvKyoqsrOzAxurqqqGh4fxZ7lcPjQ05HK5rFbrzZs3rVYrQkiv1xcXF5tMJofDodFoDAaDzWYjCKK5uXlxcfHp06czMzNMajhNgiDq6+vtdvvs7KxSqdTpdHjXzMwMRVFer9fn83GHyjMjdlI8U2DiDJlFLCmEG8ueDiF08uTJ6upqu90+PT29d+/eW7duMT1VKpXD4bBYLGVlZVKpVK1WLyws4HsIjUbDP8jAP01gkEGN7JZ4rRbhTjUA2w3fGlNVVdXe3h64SyqV0jSNPxuNxpKSEoRQaWnpyMgIM9Dr9SKEHCxBs9A0rdfrJRJJQ0ODxWLBjRaLpaGhQSKR6PV6ZiLcmaIol8uFEHK5XCRJ4lkCyeXyT58+BSVCEAQeFZQas9dut+PN0dHR4uJidrdwobKF68ZOin8K3FnEkkK4sezpfD4fRVH40owQGh8fLy0tZXq63W7c/vr1a5FItLKygjffvHmze/du/kFGUWPiu1qEO9UAbDe8akx3d7dIJLp37x7T7nK5CIJg7kskEolcLkcI9ff3q9VqhNDg4GBDQ8M/heJyuWpra0mSxJskSdbW1jKXLcbo6GhFRQWz2djYWFRU1NnZOTAw8PLlS4SQ2+0mSRJ/kQxKJFyLzWYTi8XMLrPZjNMJOZAdKs+MwiXFMwXuLGJJIdxY9sCFhYWkpCRm02Kx4JuGoJ42my09PZ29yTPIKGpMfFcL93QCrRYAtqTI72NWVlZGR0cfPXp08eJFj8eDG71er0gkmpycNBqNRqPRZDIZjUaCIOrq6p48eUIQxOPHj+vq6nBnGQt7lrm5uY6ODoPB0Nvbi1t6e3sNBkN7e/vc3Fxgz6DfCD18+HBoaKiwsHBtba2zs/PcuXO4fceOHRFTiw47VP7dQia1YVPYRDb7agFgy+IuQTabjSRJs9mMEKquru7o6GB2URTFfsKAEFIqlRMTE+np6cyLmYjPytra2iiK6uzsdDqdge1Op1Or1VIU1dbWhlt8Pp9UKmWe1QQxGo25ubkIIblcbjQagxLhvo8hAp5+jI2NhXv6ES5UnhmFTIpnCtxZxJJCuLHs6TielfG8j+ETZHTvY+K4Wrini/tqAWAL4/s+BiE0MzMjFotNJhPebGtrKy0tnZ6eXlhYuHbtWm9vL26/fPlyYWFhdXU1/yBUKpXNZuOIQaVS4c8Gg0GpVDK7zGZzZWXlixcvnE6n3W5vbW3F8+r1+pKSEvwWF3+L5FNj6uvrHQ7H9PR0UVER8xaXpmmSJJmH6dyh8swoMCn+KSAeF77oUgg3NuS1vrW1taamhv3On3+NiRik3W4PfBgVlCljdnY2cJagE4tiWC3CnWoAtpt/qDEIIY1Gc/DgQfzZ6/Vqtdrc3NyUlJSqqirm2yJ+aHb//n0hwu3q6uru7mY219bWdDqdQqFISkqSy+UqlWpxcREh5PP5Lly4IJVKxWJxbW2t0+mMWGMoiurv75fL5enp6c3Nzcz7aoSQTqdLSUkRKCP+KaBIF76oUwg3NmSNoWn69OnTUqk0NzdXp9PhNxn8awyfIL1er1gsDnpJzg5mZGSksLCQ49xGvVqEO9UAbDcRakwUaJoWi8WBP8iJI4VC8fbt27gfNuTFdHOJJYX/lj7/iTQaTeC7ejav15ufnz80NMTRB1YLAOuOjPsLnufPn5eVlQn0n7u+ffsmxGHBRjMwMIBviMNJTk4eHh7ev38/Rx9YLQCsuzj/LxmPx4N/tRzfw4LtJjExcd++fdx9uAsMAGAjiHONYZ5Qx/ewAAAANqMEhNB6xwAAAGBr2qz/2x8AAMDGBzUGAACAUKDGAAAAEArUGAAAAEKBGgMAAEAoUGMAAAAIBWoMAAAAoUCNAQAAIBSoMQAAAIQCNQYAAIBQ/gLxd33a6oPwqQAAAABJRU5ErkJggg==)
Screenshot: ![love-hotel.jp vulnerability](/twimages/screen-1167286.jpg)
Mirror: Click here to view the mirror
Coordinated Disclosure Timeline
Vulnerability Reported: |
20 May, 2020 20:07 GMT |
Vulnerability Verified: |
20 May, 2020 20:23 GMT |
Website Operator Notified: |
20 May, 2020 20:23 GMT |
a. Using the ISO 29147 guidelines |
![](/images/done.png) |
— |
— |
b. Using publicly available security contacts |
![](/images/done.png) |
c. Using Open Bug Bounty notification framework |
![](/images/done.png) |
d. Using security contacts provided by the researcher |
![](/images/done.png) |
Public Report Published |
|
[without any technical details]: |
20 May, 2020 20:23 GMT |
Vulnerability Fixed: |
27 June, 2020 13:32 GMT |
— |
— |