logo
DATABASE RESOURCES PRICING ABOUT US

thv.vn Cross Site Scripting vulnerability

Description

Open Bug Bounty ID: OBB-1169676 Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[thv.vn](<http://thv.vn>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[XSS (Cross Site Scripting)](<https://www.owasp.org/index.php/Cross-site_Scripting_\(XSS\)>)** / CWE-79 CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **g0bl1nsec ** Remediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAOuUlEQVR4nO3db0wT5x8A8LOgFriKtKUixRUcAUcMI65jbOsWUhfHCCHGMWCOYZ2JQ4KMdI5RNY6xiYsC2xzxhWGLzmXzhSGE+MIZl2WMsQ2RVSmIFRso5Y8OKnUVSym734v75XK/+9frn4Pi7/t5xV2fe57v97nneLin7bECwzAEAAAAEIBoqQMAAADw2II5BgAAgFBgjgEAACAUmGMAAAAIBeYYAAAAQoE5BgAAgFBCYo5JSkq6fv062+aSCIUYwPIF4wcA3NLPMX19ff/+++/TTz/NuBkKIQHgExg/ABC8zDEjIyMSiYTxJYfDcezYMbZN/trb2/Pz8+mb5Ao5whACPYZgBcBWz6IlODIyEhMT48dRRHhBCZW7Ej/GEqXC+/fv7969OzY2VqlUfvjhh/Pz80EMzyvKkPYPnxi8dhRRiX/nPUA8u9HvXx2LaVkEGaIwTsPDwyiK8nmJoyS3zMzMy5cv0zfJFfpduX8YY3C5XIHXzJFIUOrnE8DatWv9OIocduChcp9QP0435ZD8/PydO3fabLbBwUGNRlNTUxPE8LyiDGm/ee1nr3ESBfw774HjM1QW+er2z7IIMjQt8VrZxMSE2WzOzs5m3AyFkAirV68WtF2h6w+iEA/10aNHvb29p0+fViqVqampTU1NFy5c8KmG8PDwlJQU/1oP4hgOvJ+JRALJKBAhPlTAIuA1x3z55ZdJSUkymeztt992OBwIgjgcjsTERKfTuWLFirNnz5I3m5qaJBLJiRMn1q1bFxMTs2vXrkePHrHV3N7evm3btpUrV1I2KfWzhVFUVHT06FGitueff54ojKMXwMNrbGxMSkqKiYl566238KroIdGTwgvgKwB4DVFRUUVFRdPT0x988EFsbKxMJtu9e/fDhw/59Gp/f79MJvv111+R/11VmJub27Nnj0QiUalUH3300cLCQoCNjo2NvfrqqxKJJDU19fvvvydnQZThv5ZCOZAeLf+a6ScUoQ0tPxKPiIgYHR2NiorCN4eGhuLj4xEEuXr16ksvvSSRSJRK5euvv37z5k22HJVK5bVr1/Cff/zxR699Qi5DHtKMLS4sLBgMhnXr1kVFRb3xxhvT09NErx47diw2Nnb9+vVff/01eZmL8YKiXyP0UIlElErln3/+yRgwd0ZsnUbPgiMF/lkwBsZ2LL1FBEEePnz47rvvxsbGbtiw4eOPP/bp8uHf1cAH3Lc5w8PDCILodLrx8fGhoSGtVltWVoa/NDg4iKKoy+XyeDzkTYvFgiBIQUGB1WodGhravHlzbW0tW/25ubnfffcd4ya5frYwLly4oFar8fLj4+NisXhmZoZcP71AX18fgiClpaXj4+Nms1mj0ZSXl7OFRE6KvHCHIEhJSYnNZsNrkMvleGz4H7CVlZUc/YnXMzMzk5KScvr0acp+DMMOHjxYXFxssVgGBgays7Obm5sDbHT79u3k04GvmdCXOjnWUjjWLenR8qmZY1xhTKfea+JsSxmDg4Px8fHd3d0YhikUipaWFrvdbrFYmpqaLBYLhmFyGkoNcXFxWq22p6eHsWe6u7u1Wm1cXByxhzx+GFusr69Xq9U3btyw2WyVlZUdHR1Eh5SWlk5OTl66dGlwcJC8zMV2QVGuQe5QeSZFyYgxBcYsOFLgnwVjYGzH0lvEMOydd97Jy8uzWq0mk2nLli0nT57EeF8+/Lsa8Mdrjnnw4AG+2dXVtXHjRuIlxvdj8EOsViu+v7W1lfgtb7VaExMTiUOcTieKona7nXGTPkDpYczOzq5ZswZv69SpU/n5+ZT46QUoVXV2dhIZccRAD4aYzDo7O0Ui0ezsLBFbcnIyR3/i9eTm5pLnNnL9crnc6XTiPxuNxszMzEAa9Xg8YrGYfDqCO8fQo+U/xzCOK3pzfBJnnGNsNtvGjRvPnz+PYZjdbg8PD6e/PWCjoRRwOp319fVSqbSwsNBsNhP7zWZzYWGhVCqtr68neoA8fthaVCgUvb29jB1CDDyM3wVFyZotVDrGkvSM2FJgzIIjBf5ZMAbGdiy9RY/Hg6IoMRG2t7dnZWVhvowinl0N+PO+VoaiKHHDGx8fb7fbvR4iFos3bNiA/7xp0yar1Uoc3tXVRRS7fPlyZmYmsZBC2eQTRkRERG5ubltbG4Igra2thYWFlKMYC5CrSkhIIGfEHQM5mOjoaKKGNWvWREREELFNTU3hP8eSkA8/dOjQpUuX1Go1veb79+9PTU0lJibiR2m1Wnzc+93ovXv3EAQhnw7u1Lgj5x+tV/zHFc/E6QoKCqqqqoqKihAEiYmJKSgoyMrKev/99xsbG3/55Re8jJKGUklUVJTBYBgaGnK73WlpacT+tLQ0t9ttsVgMBgOxLkceP4wtOhwOu92enp7OmCbbwGO7oHiGyrMkPSO2TmPLgiMFnlmwpcB2LKXFe/fuud3upKQkoqSvlw/Prgb8hS9mY2FhYevXryc22T617JPCwsLm5uaSkpLu7u7W1lavBbjnyKB86pRgNBrpO2dnZ1tbW8+fP19RUbFjxw5i3ONcLpdIJOrp6QkP/++pEYl8+1wGY6O+4lkJY7RutzvwAAI3MTFx48aN33//ndjzww8/XLt2zWQyjY+P6/X6F1544auvvqJPon///Tdlz507d44cOdLR0VFXV0fsrKura2hoKC8vr6ure/LJJ/GdlPFDb/HTTz9FECQsLCy4yXKHyrMkY0aMnYa/JFAW/FMAywP3bQ7HugfPtbK2tjbifpPM4/HI5XLirpayiXGuz5DDcLlcUqn0iy++2LFjB2MKlAIcVXHEwDMY+ibF8PBweHj4wMAAhmF5eXkVFRX0OlEUZVxL8a9RylpZW1sbXvLBgwcikYi8ZujfWhk9Wj41e03H196mL2V4PB7yqaQwGo0JCQkYj7WysrIyFEX1ev3U1BTlpampqaqqKhRF8TeT6OOHsUWFQmE0Grk7BON3QVGO4giVZ1KUjNhSYMyCIwX+WTAGxnYs40lnWyvjOYp4djXgz//PLsvlcpfLdfv2bcZNvV4/NjbW399fW1ubl5dHHDU3N4f/0NXVFRcXR9zVUjbpFbJZvXp1Tk7OkSNHiouL6a2wFWDkdww+EYvFTz31FIIgDQ0NLS0t+GcQyEpKSsrLy/v7+ycmJk6cOPHJJ58E0lxYWFhOTg75dOD7JRKJWq3W6/V37969fft2TU0NRyVSqdTlct26dQv/lA53tNw1k08NGz+6nR5hWFgY/nEy3M2bN1977bWff/55enp6dHS0ubk5IyMD4bFW5nQ6TSZTY2OjTCajvCSTyT7//HOTyeR0OhHa+GFrsaqqau/evX19fWNjY/v378c/WOgV4wVF6SiOUHkmRcmILQXhsuBIge1XCllYWFhxcXFVVdXo6ChecufOnXwC8ylI4BvuKYh7/q+trY2MjDxz5gx5s7GxEUXRzz77TKFQrF27trS0lHhvjVzbgQMHDh48SFRF2aTUzx1GW1sbiqKMrdALcFTFEQOeFJ8+4f/mOYZhlZWVL7/8MmW/y+WqqqpKSEiIjIzMzc3F/ygLpFGbzbZt2zYURVNSUhoaGoiS+Ae6UBRNS0s7efIk93f0ampqGM8FY7RsNTPeFzLGz/PUkzeJCBlLut3u2tralJSUVatWKRSKkpKSyclJjnz9QBk/bC16PJ7q6mq5XC4Wi7dv347/wc59H8N2QWG0azC4ODqNnoXX+xi/s2A7lvHewul07t27Vy6XJyQk1NbW4h8D8+lueEm6+jHmZY7xA8+bypSUlD/++INtc0mEQgxg+RJo/DweqzSBZLFoPfB4dHWoWdT3/Mlu3brFsbkkQiEGsHzB+AGAzvv7MdevX9+3bx/bq/Pz82+++ebdu3d5tgfPPAcAgP8f3ucYnU6XmJjI9urKlStXrVp14MABPo3BM88BAOD/ygoMwzhenp6eVigUs7OzxLPt5ubmdDrdxYsX//nnH3zPX3/9lZubOzEx4bWxo0ePTk5OEp+v98/IyMjmzZuJ1tk4HI5Tp04ZDIZA2gIAABAIL/cxTqczMjKSPMHk5OR4PB5yGalUin/S0augfMNRpVJxfLWbMDMzU19fH2BbAAAAAuHb92MmJydfeeWVhoYGP1oKqWeeAwAAWAS+zTEqlerQoUP8y/v0zHNkcR8YDgAAQGhC/Y+yq1evbt26VafTEXvIC2V5eXk6nc5qtXZ2dmo0GrFYjO8/fvz4lStXrly5Yjab4+PjBwYGEARxOp2Dg4Mmk+nMmTMajYbSkNPp7O7u7unp6enp6e3tPX78OIIg0dHRxLO4S0pKdDrd1q1bif8IAgAAYJFwf32G8UtJbE8qw/n9zHNscR8YDgAAQGjBv4/x75nnyFI8MBwAAICggj/H1NXVdXR0lJeX37lzh9hJf+Z5S0tLenq62+3W6/X79+8nXhLugeEVFRXwwHAAAFhMwZ9jDAaD2WxWKBQZGRn4AwIWFhYuXrxI+dTyM888s2vXLoPB8M033+D/Qyw6Oloqlfr6FACXyzU6Oor/bDabn3jiCXqZffv2ZWRkxMXFmc1m+MYMAAAsGi9zjEgkonwbhs7j8RD/ogrn3zPPkaV4YDgAAADheJljFAoFgiDc/zXBaDQy3j2oVKpz584htIWy5OTkrKyssrKy+Ph4tVrtcrlaWlrwl6qrq7Ozs7VabXJyss1m4/PeCYqiarV6y5YtGo0mPT29uroa3x8VFXX48OGMjIyzZ8+eO3dOpVJ5rQoAAEBweXmWDIIg7733nslk+umnnxhfnZub27Rp0+HDh/fs2cNWQ2pq6rfffvvcc88FFCkTns+VAQAAsCS8zzHz8/NGo/HZZ59lK/Dbb7+9+OKLwQ6MF5hjAAAglHmfY0IZzDEAABDKhPqePwAAALC872MAAACEMriPAQAAIBSYYwAAAAgF5hgAAABCgTkGAACAUGCOAQAAIBSYYwAAAAgF5hgAAABCgTkGAACAUGCOAQAAIBSYYwAAAAgF5hgAAABCgTkGAACAUGCOAQAAIBSYYwAAAAgF5hgAAABC+Q9RUDMjd5vttAAAAABJRU5ErkJggg==) --- **Screenshot:** ![thv.vn vulnerability](/twimages/screen-1169676.jpg) **Mirror:** [Click here to view the mirror](<http://1169676.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 23 May, 2020 09:22 GMT ---|--- Vulnerability Verified:| 23 May, 2020 09:34 GMT Website Operator Notified:| 23 May, 2020 09:34 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 23 May, 2020 09:34 GMT