logo
DATABASE RESOURCES PRICING ABOUT US

sitrap.org.py Cross Site Scripting vulnerability

Description

Open Bug Bounty ID: OBB-1167309 Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[sitrap.org.py](<http://sitrap.org.py>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[XSS (Cross Site Scripting)](<https://www.owasp.org/index.php/Cross-site_Scripting_\(XSS\)>)** / CWE-79 CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **g0bl1nsec ** Remediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAI9ElEQVR4nO3cX0hTXxwA8KstXXZXk9xSm7gZWIRYhMiKReKDig1ZatCDpdCwHkRCJMTAlkGaZZGV+BJYD/USIkNERHoYImFrrRq2hogO/4wl5tbNlqzd38Phd7nce+7dZq2ZfT9PO3ruOd/v9972dUcpgaZpAgAAAIiBxHgHAAAAYMuCHgMAACBWoMcAAACIFegxAAAAYgV6DAAAgFiBHgMAACBWNkWP0Wg07969Exr+g6ACAICtIf495sOHD6FQ6PDhw9jhPwgqAADYMsL0mLm5OZlMhv2Wz+fr6OgQGkbObDZXVFQIDUWC2fCOmxxTAXa+IjeCEW1B5ubmUlNTo4otkjDiaAMZ8VfYzAkC8NfZ+OeY1dXVmzdvCg0jF3mPyc7OXl5e/vUdNzlsBTi5Y23VggAA/l5xPitbWlpyuVxFRUXYIV9ycvKfCSxeRCqw5XMHAGw9EfWY+/fvazSaPXv2nDt3zufzEQTh8/nUajVFUQkJCU+ePGEP7969K5PJbt++vXfv3tTU1Nra2u/fvwutbDabS0pKtm/fzh++fv36xIkTMpls3759VVVVHz9+ZJ9jcAJA3+ro6FAoFBkZGY8fP0YrHDt2bMeOHQqF4syZMwsLC2ha2Ni+fft28eJFhUKRlZV1/fr1nz9/Ev+fonC2WFpaOnXqlEwm02g03d3d/IMaoR0fPXpUWlrKTLt69WptbS2/IJx10Gt+ZfgF4eeOrl1YWCgtLZXJZAcOHHj27Jl4ykJu3brFSYdzxMQ+s8JGy0Syc+fO/fv337t3D80XWefHjx8XLlyQyWTZ2dnXrl1jIhTKSKgC4vcF4T/wYS8BAGCF7zEURdnt9omJicnJycXFxZaWFoIgdu/e7XQ6SZIMBAI1NTXs4enTpymKmpyctFqtVqvVZrN1dXUJLS5yUKbX6+vq6txu9/j4uE6nk0ql7As5AaA4nU6nw+Ho7+/X6XQEQdhstvr6eo/H43A4VCpVQ0MDmhY2tsbGxsXFRZvNNjIyYjabe3t7mVJwtmhoaEhKSpqenh4bG3v69KlQAfk7GgwGi8Xy9etXJvHKykp+QbCwleEUBJs7CnjXrl1TU1PDw8Psd2ShlLHpWP8nfnNFomUicTqdo6Oj/f394osQBNHe3r62tvb+/fuRkRGLxdLX1yeekVAF2IlgnwTsAy9+CQBAEC1qdnaWIAi/34+GExMTOTk5zLdIkmTPREN0idvtRl8fGBgoKChAr91ut1qtZi6hKIokyZWVFf5wZWVFIpEEAgFOMNgdmU2Zpfimp6fT09NFYmMEg0GSJGdmZtDQbDZrtVrsFsFgUCqVMjMHBgbkcjm2gNgdtVrtixcvmEQCgQCnIJwE0WtsZbD14eTOBMwOBgUslDJ2C2w6/FuDVhaKVigSoXVomk5LS6MoCr222+2FhYUi6whVIJJERB74sA8PAIBDErYJkSTJHF9kZmaurKyEvUQqlWZlZaHXBw8edLvdzOUTExPMtNHR0cLCQuYwhD1MTU2trq7WarXFxcWZmZkFBQUnT54MGyfnqOrt27dXrlyZmppaX18PhUKhUEgkNobX611fX9doNMwc9ObC38Lr9YZCIfbMqKphMBiGhoaqqqqGhobKy8uTk5OHh4fZBcGKsDLY3L1eL0EQ7GDCpqxQKJg1P3/+LJJOVNEKRSLky5cvy8vLarUaDUOhkEQiEV8HWwE2oUREHviocgcAEAQRvsf8Rtu2bcvIyGCG4n9R9vz58zdv3jgcjsXFxaampuPHjzc3N0e1ncFgMBqNfX19Uql0fn6+rKzs11P4jSorK9GB29DQUF1dHRHZQRmBq8yDBw84c35X7na7fWMXRhVtWIFAIDEx0Wq1otZCEERiYphj3k1+9wH4V4h/zBE5u4jwrGxwcBB7pBAMBtPS0pjzGc6Qw263q1Qq8bMyzjGR1+uVSCTsFeRyeSSxiZyVcbZABzWzs7NoGMlZGWfHvLy8sbExuVzu9/v5FRBPkF0Zzhxs7jTvZGlwcPAXz8qYdPx+f2JiInPEND4+jj2zYqIVikRkHZIkbTYbZ0GhdYQqEDYR8Qc+kgcbAMC28R5DUZREInG5XJwh+qdYXV09Pz/vcDiOHDliMpmYFZijeYvFkpeXx3ydM5yamiorK3v58uXy8rLb7TYajXq9nhMMOwDsW7BSqezt7V1dXXW5XAaDgekx2NjYvzMwGo0VFRVut9vhcBw9erSnp0doi+rqaoPBMDs763A48vPzmeIwq4lXo62tLT8/X6/X8ytA07Tf75dIJE6nMxgMMrtjK8MvCD93NMdgMLCDYb6OTZlPJJ3CwkKj0ejxeFwul06nQyuLRCsUCXYdmqYvXbqk1WrR56Gurq729nbxdYQqgG6NUCJhe4zQrQQAYG28x9A0bTKZUlJS+vv72cPu7m6SJDs7O5VKpVwuP3/+/NraGn+15ubm1tZWZinOcH193WQy5ebmJiUlKZXKmpoaj8fDf5dnAsA2AIvFUlBQIJVK09PTm5qaUI/BxsbvXvX19WlpaSqVymQyBYNB/hzE4/Ho9XqSJNVqdWdnJ/8X10I7IugkChWQUwGkpaWFkyC2MvyC8HNHE+bn50tKSkiSzM3NvXPnDvsnBn7KfCiMrq4ufjrT09PFxcUkSR46dKinpwetLBItiiQlJSUnJ4cdCXYdmqYDgcDly5dVKlVKSkp5eTnzqUsoI2wF2J+2I3kS+B/chW4lAAArTI/ZAKFTHY7c3NxXr14JDWMkwtg2xul0KpXKqHakKEoqlaI/JPszFdicOD+7/Jkdo30SYvrwALBV/dHf+bN9+vRJZPg3stvtOTk5UV0yOjqq0+nQH5JtgQoAAABH3HrM1nDjxo3MzMyKioqZmZnW1ta2trbIr/X5fA8fPjx79mzswgMAgPiK///t/1crKirq7e1VqVQ1NTWNjY3o/4OJEHOsH7vwAAAgvhJomo53DAAAALYm+BwDAAAgVqDHAAAAiBXoMQAAAGIFegwAAIBYgR4DAAAgVqDHAAAAiBXoMQAAAGIFegwAAIBYgR4DAAAgVqDHAAAAiJX/AOmynnkOvCCFAAAAAElFTkSuQmCC) --- HTTP POST data: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAILUlEQVR4nO3cX0hTbxgH8GlHXXqkubZpaqgQ0kWYhEWRRaSEFyKL0hJGLRCzMJFhUXazvJhldtOFVwYGQTclsYsokIghYWnjaMNsaMxhZjFlxrHUZvtdHH6Hcf68Hv8cN+X7udo5e/a+z/Pudc/OWRQXDoc1AAAAKoiPdgIAALBloccAAIBa0GMAAEAt6DEAAKAW9BgAAFALegwAAKgFPWYZeXl5g4OD0c4CVDE4OHjlyhVCwN+/f6urq3/8+KFwQOwWAAH0GJJPnz79+/dv//790U4EVGG1WnNzcwkBCQkJiYmJTU1NSkbDbgEQW88eMz4+npqauvaYdbTG6ZxOZ0VFxQbkMDs729raqmSQ8fHxtLS0Naa0UutSQozg85yenh4aGmpsbOSfWlhYqK6uFlTa2NjY09OjZOTY2S0AsQPXMSTr8qmRk5MTCATIMcFg0OFwrHEi9WyBEnh8nizLJicnJyUlcecXFhbKyspCoZAgXq/XsyyrZGTsFgCxLd5jKIrKz89f3Wu/f//u9XpPnDix9jT4D7JV4wtZS0VrsfYSYtzU1FRpaWl7e/vqXh5TuwUgdizTY7gr9/v376enp6elpV28ePHPnz/cU/39/UeOHNm+fbvRaKysrPz27ZvgtYSAe/fuCQbkJmptbTUajbt27Xr06BFhhP7+/mPHjqWmpmZlZZ05c+bz589y+WdlZX38+JF7/Pr1a3KxggCn03nq1KmEhAS5GZeWlm7dupWenp6SklJZWTk9PS1ZSORtLsnFnJ2dzc3NZVk2Li7u8ePHkqnyhWRlZb1//15hRZExcosmrkKlEggvl3z35+bmLl++bDQad+/efefOnaWlJS7swYMHeXl5KSkp586dm56evn79utFo3Llz56VLl+bm5sgTReb5/PnzyNxycnJu37697HpKrq0mxnYLQOxY/jqGZdkPHz4MDAwMDAy43e62tjbuvNvtrq2tnZqa8ng82dnZ9fX1ghfKBbAsO/C/yAFZlh0ZGfF4PF1dXcXFxYQRysvLrVar3+/v7e0tLi7WarUajcYoIsjHarWWlJTwLSdSf39/SUmJ1WqNPBl560Nyxra2tp6enp6eHq/Xm5mZOTw8LFcIeTF37NgxMjJC0/T8/LzFYiGnqrAicVGSJchVoV4JcttJPGNDQ8Pk5KTb7X716pXT6ezo6ODCGIbp7e1lGGZycnLv3r2BQGBoaKivr8/n8zU3NyvP8/Tp0+TlJRBvmNjfLQDRESby+Xwajcbv93OH3d3dRUVF4rDR0dGMjAyfz0fTtOQ4XABhQO78zMyMXCb8CDMzMxRFzc/PCwImRAQBLMs6HA69Xl9VVeX1ermTXq+3qqpKr9c7HA6WZSODaZrm8pGb0WQyud1uwUlxIfyyEBZTsHSSqYrJhYmLkitBsgr1SlD+7odCIZqmv379yh06nc7Dhw9zYcFgkDvZ29sbHx//+/dv7vDdu3d79uwhTySoRbxdxScFZyQ3zKbYLQBRsXyP0Wq1/OHw8LDJZOIeu93u0tLSzMxMg8Gg1+t1Op1g64sDCANK/sFLjhAOh8+fP19YWGiz2drb29++fbuigmdmZsxmM0VR3CFFUWazmf/Y4nV3d588eZI/FM8YDAYpigqFQuIVk/uQIiymZPmCVBVWJFeU5KJJVqFeCcrf/cnJycTERP7Q6/WKv8T4fD5+SwgOleS5uh4jubabaLcAbLDV/+ZvNpuPHz/ucrkYhnn58uUqAlY9xdOnTzs7OwsKChYXF20227Vr1zQK7pVpNJqxsbH6+nqXy9XS0sKdaWlpcblcV69eHRsbi4wU/BshyRk1Gs22bdtWUZcS4lSVh0kWJVeCRrUqFJawuUiu7WbZLQBRQG5Bggv2Fy9ecBfsP3/+jPzGxDCM4DpGMoAwoPirmdwIAgzDZGdnhxXcK6urq6Np2mazBQKByPOBQKCxsZGm6bq6Ou5MKBQyGAz8jRq5GU0mE8Mw4hUjfDOVrF38KrlUFVYkWZRkCZJVqFeC8ndf7l6Z8uuYZfNc3XVMWLS2m2W3AESFoh5z9uzZiYkJj8dTWFhot9u5p0wmU0dHRzAY9Hq9ZrNZp9P9+vWLoqiRkRHunoA4gDCg5B+85AjDw8NlZWVv3rwJBAJ+v7+mpqa8vFxJqRaLxefzESq1WCzcY5fLtW/fPv4puRkdDsehQ4eGhoYmJia4b5GShQg+NSQXk2VZiqL4m+nkVBVWFFkUYdHEVahXwore/ZqamoqKCr/f7/F4Dhw48PDhw5X2GHKefr8/8maUoFLe6Oio5Jcbfm03y24BiIrlewxN03fv3jWZTDqd7sKFC/xPrC6Xq6ioSKvVZmRk2Gw27u/w5s2bycnJXV1dcgHcgG1tbYIBJT9lJEdYXFy02+35+fmJiYkmk8lisUxNTa3vojQ1NTU3N/OHcjOGQqEbN24YDAatVms2m7lvkeRPDbnFDIfDdrudX7p1R1g0cRXqlSD3csl3n2XZ2tpag8GQnZ1tt9tDodCKesyyeXZ2dmq1WsGP5OJMnj17VlBQQFjbrbdbANaRoh6zManEjvz8/L6+vnUfdgss5hpL2LAVUDhRQ0ND5G/1YvPz87m5uZ2dnYQY7BYAAmpjfvXZXL58+RLtFGAjtLe3MwxDCEhKSnry5MnRo0cJMdgtAARb/P+SASBISEg4ePAgOYbcYACADD0GAADUEhcOh6OdAwAAbE24jgEAALWgxwAAgFrQYwAAQC3oMQAAoBb0GAAAUAt6DAAAqAU9BgAA1IIeAwAAakGPAQAAtaDHAACAWv4DDuPwmymyvP0AAAAASUVORK5CYII=) --- **Screenshot:** ![sitrap.org.py vulnerability](/twimages/screen-1167309.jpg) **Mirror:** [Click here to view the mirror](<http://1167309.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 20 May, 2020 20:10 GMT ---|--- Vulnerability Verified:| 20 May, 2020 20:20 GMT Website Operator Notified:| 20 May, 2020 20:20 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 20 May, 2020 20:20 GMT