Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:
      a. verified the vulnerability and confirmed its existence;
      b. notified the website operator about its existence.
Affected Website: |
comune.cardinale.cz.it |
Open Bug Bounty Program: |
Create your bounty program now. It’s open and free. |
Vulnerable Application: |
Custom Code |
Vulnerability Type: |
XSS (Cross Site Scripting) / CWE-79 |
CVSSv3 Score: |
6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] |
Disclosure Standard: |
Coordinated Disclosure based on ISO 29147 guidelines |
Discovered and Reported by: |
g0bl1nsec |
Remediation Guide: |
OWASP XSS Prevention Cheat Sheet |
Export Vulnerability Data: |
Bugzilla Vulnerability Data |
JIRA Vulnerability Data [ Configuration ] |
|
Mantis Vulnerability Data |
|
Splunk Vulnerability Data |
|
XML Vulnerability Data [ XSD ] |
|
Vulnerable URL:
![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAKTUlEQVR4nO3caUwTzRsA8OFQat1ylB4clUsDxGA8ghfhgyEGgRDBDyhREQ9EQxCQqKkkCioR5TBqRIlBg8bwwUTExhBj0BgkhGBTKiIpBUWQFg9A0FoWhO7/w/zd7LvdlopvRX2f36eZ2e7MMzubfexs0YGiKAQAAADYgeNsBwAAAOCvBTkGAACAvUCOAQAAYC+QYwAAANgL5BgAAAD2AjkGAACAvfwWOSYwMPD58+eWquAPBesIAJj9HPPixQuTybR06VLOKvhDwToCANC0Oaa3t1cgEHAeGh0dLSoqslS1nUKh2Lhxo6Xqf0pvb6+Hhweyetlt6WTG585sCM6lZ63jnTt3UlJSEEL37t1LTU21Emdvb6/DP8XGxuJDPT09CQkJHh4eUql07969o6OjuL2zszM2NtbNzU0qle7Zs4duBwDMupl/jxkZGTl9+rSlqu0gx5jz9/cfHByc7SgsYoXHufSsdezu7g4ODkYIabVaXLCCIAiSQaFQ4Pb4+PjQ0FCNRtPc3Dw4OJiRkYHb4+LiZDKZRqNRqVQkSe7fv//n5wgA+Fc4z+7wAwMDWq123bp1nNX/MhcXl9kOwRrr4Zmvo1arjY6ORghpNJqYmJgZ9P/x40etVnv27FlcLSgoiI+PRwiNj49nZWXt3r0bfyuSy+VxcXE/NhkAgN3Y9D3mwoULgYGBnp6eKSkpeCNidHQ0ICDAYDA4ODjcuHGDWT137pxAICgpKZFKpR4eHqmpqWNjY5Z6VigU0dHRc+bMMa9OTU0dPXpUKpXOnz8/KSlpaGgIIfT169d9+/aJxeIFCxacOHFiamoKfd91KSsrCwwMnD9//pYtW4aGhg4fPiwWiz09PXft2vX161dktjnD2pjCp3t4eGzbto252TI+Pr5nzx6BQODv75+fn49HZOKMEyH07NmztWvXzps3TywWJyUl6XQ6PFBRUZFYLPb29r527RpCSKfTbdiwQSAQhISEVFdX07HRoVoJz3wI8ys84/hZG1bMU5jhse4EzmV1cHC4fv16cnIyLmzevJnu8OzZs+b3iclkys7OlkqlUqn04MGDOGaxWBwcHFxeXo4QGhsbq6ioiIyMRAi5uLhkZ2fjeL59+3br1q2oqCjz6wAAmBXT5xiDwaBWq5uamlpaWvR6vVwuRwi5ublpNBq8p7F9+3ZmddOmTQaDoaWlRalUKpVKlUpVXFxsqXMrG2XFxcX19fX19fVardbHx6ejowMhlJWVpdfrVSrVgwcPFArF5cuXmUE2Njaq1Wq9Xh8aGjo4ONjW1tbc3PzmzZu8vLxp59jW1obn2NfXx/z8yZMnjUZjW1vbgwcPGhoaKioqWOdyxokQUqlU6enp7969a29vl8lkmZmZeCCNRtPe3l5VVYUfkZmZma6urh0dHXV1dXSOsTE8ziFYZhw/vVV15MiR5ORkS5eOdSfgRtaykiTp5+en1+uZBTwv5XfM+8RoNBIE0d7e3tTUVF9ff/78edx+//79vLy8efPmubq6PnnypLKykhnJ3bt3+Xx+S0vL1atXLUULAPjVKKvevHmDEPr8+TOuNjU1BQUF0YcIgmB+ElfxKX19fbi9pqYmPDwcl/v6+gICAuhTDAYDQRDDw8OcVYlEolKpmMFMTk4SBPH69WtcVSgUa9asoUccGRnB7Y2NjY6OjkajkY550aJFnAG7u7ubz7GxsZGeI0VRIpHIYDDgslqtXrVqFesSmcdprru728vLCw9ETxDPiMfjMa8VHRIdqvXwWEOYT/Mn429vb/fz8xscHGQ2Wlp6jLWOFEWRJCkSiZgFyvJ9QpJkc3MzfW5tbS0dc1ZW1ooVK1paWh4+fCiTySorK5lRGY3GhoaGsLCwiooKS9MBAPxi0+cYzucy5yE6x/B4PLq9o6NDIpHg8uTkpF6vpw/V1NRERUVxVkdGRpydnScnJ5nB6PX6uXPn0lWtVsv5VGUGSf0zl1jKMZZOHx4eRgiJvhMKhfRcrMSJqVSq9evX+/j44BPd3d1ZA+EZsa4VZ46xFJ75EKzP/0z8WERERG1tLavReo5hLSse19nZmVmgrN4nTBqNBq/yxMQEn89va2vD7dXV1fS/XZjq6upWrFhhaToAgF/sl77zd3Jy8vb2pqvT/qLMycnp1wXHhSRJR0dHpVLp7Pz/C+XoyLG7yBlnYmJiWlpaRUUFj8fr7++35UX3j5p2iJ+JHyFUXl4eFBSUkJDwQ1Gx1lGtVj98+LCuru78+fOPHz++ffu2+X6ddSaTCSE0PDw8MTGxZMkS3Lhs2bL+/n6E0Ldv39Rq9cqVK3F7UFCQXq//of4BAPZjl7/BJEny7du3uKzVav38/Mw/MzU1df/+ffphxKq6ubkJhULWX4lLJJK5c+f29PTgqkajCQgIsD0qoVBoNBq/fPmCq/gJZZ23tzefzx8eHvb9jpkjLcWJEPr48aNerz927NjChQt9fX15PB5n/xKJBCHEvFa2T8eWIWYcP0JIp9NdunTp4sWLtoeEzNYRIeTr62s0GoODg3EhNDTU19cXH+K8Tx49erR8+XL69I6ODrzKUqnU2dn51atXuJ1efZPJFBER8enTJ1Y/AIDfwcxzjEgkIkmyq6uLs5qbm6vT6V6+fEn/xhQbHx/HhaamJi8vr8DAQM4qQignJyc9Pf3Fixc6ne7AgQNPnz51cnJKTk7Oycl5+/Yt7nnr1q22BywQCMLDw3Nzc9+/f9/V1YV/vDCt7du3Z2RkvHz5cmBgoKSk5NSpU8xZcMaJEBKLxUKh8MqVK6Ojo11dXQUFBZydOzk5xcTEMK+V7dOxNIRQKCRJsrOzE/8cizN+5hQ440cIZWVlFRYW8vn88fFx+sPMidOYS2++jgihvr4+/NynCzTz+yQ8PLy/vz8/P39oaKi1tfX48eP0TwnS0tLS09N7enpaW1vlcjn+OxgXF5eYmJiMjAydTvf8+XO5XL5z507bLyMAwL6sb6VZf9VRUFDA5/OrqqqY1bKyMoIgzpw5I5FI3N3dd+zYQb9+Z/Z26NChvLw8uitWlaKoycnJI0eOiEQiHo+XmJiIXzsbDIb09HSRSCSTyQoKCvCLBBvfx1AU1d3dHRUVRRDE4sWLL168OO37GIqiSJLMycmRyWR8Pj8uLu7169esz3PGSVFUQ0NDeHg4j8fz8vLKzc3lfB9DUVR/f390dDRBEMHBwaWlpT/0PsZ8CNwul8vpdTGPn9WnpfjN7xPmKzfWROg7wXwdKYravHlzXV0dRVFbt26l3+7gToqLi83vE6VSGRkZSRBEUFBQcXExcy0yMzMlEomfn19paSnd/uHDh+TkZHd3d5lMVlhYSAEAfhsOlNnT5Cf19vaGhYXRW1KWhISE3Lx5c/Xq1ZxV8IeCdQQAMM1ajgEAAPDXm/3/dxkAAMDfCnIMAAAAe/n398oAAAAADL7HAAAAsBfIMQAAAOwFcgwAAAB7gRwDAADAXiDHAAAAsBfIMQAAAOwFcgwAAAB7gRwDAADAXiDHAAAAsBfIMQAAAOzlf6JAHzSr3S5BAAAAAElFTkSuQmCC)
HTTP POST data:
![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAJTklEQVR4nO3cX0hT7xsA8JNNXXpWOrdpulAjVhdhEiZGFpFiEhKD0pJWLRKzMBnDouyitYtZa13UhXRhYBB1EyK7EAOJGENMaxzXWDY01tBlMceMo02bne/FocPY+bPT1lF//p7PlXt9z/s+z9Pbnp2zaANBEAgAAAAggJTVDgAAAMC6BT0GAACAUKDHAAAAEAr0GAAAAEKBHgMAAEAo0GMAAAAIBXrMSiguLh4bG1vtKIBQxsbGLl++zDHh169fjY2N375947ManBawnkCPEdyHDx9+//69Z8+e1Q4ECEWr1RYVFXFMSE1NTUtLa29vj7sUnBawzqyhHvPlyxeJRMJ/PPntsrOz+ayfZABWq/X48eMJX/5XMczNzXV2dvJZh0p/xfyrFNaC6CBnZ2edTqdOp6N+u7i42NjYGJOsTqcbHByMu/KaOi0AJG8N9ZjVUlhYGAgEhFv/n7xr8AwyFAqZTKYk9xLIOkiBEh0kjuMZGRnp6enky8XFxdra2kgkEnOJVCrFcTzuynBawDoDPQZBEIR6g2AkEolUKlViK3/9+tXj8Rw+fDixy6NxB8kTlUsySSXsn6Swxs3MzFRXV1sslgSuXWunBYDkxe8xo6OjBw8elEgkBQUFJ06c+PjxI4Igi4uLFy9elEgkhYWFt2/fXl5epibv379/06ZNcrm8vr5+enqavG3v7OyUy+Vbt2598uQJgiDLy8s3b97Mzc3NzMysr6+fnZ2ltnv48GFxcXFOTs7Zs2fn5uao8Xv37uXm5mZnZ58/f/7nz59s2yF/HhQ8ePCguLg4Ozv7zJkz1DrT09NHjx6VSCQ7d+58/vw5ORj3wUJBQcH79+/Jn1+9ehW3YtFzrFZrTU1NamoqWyUZq0EvWnSQ5M/379+PKcjc3FxRURGO4xs2bHj69CljqFQuBQUFb9++5ZlU9ATGLARKgTE2tmsZT9r8/PylS5fkcvm2bdvu3LlDHtToE5KZmXnq1KnZ2dlr167J5fKcnJwLFy7Mz8//VZDRCgsLb926xV1Pttqu4mlhLDUAyYvfY+rq6rRarc/ns9vtlZWVYrEYQRCj0biwsOB0OgcGBmw22+PHj8nJDoejubl5ZmbG5XIplcrW1lYEQXAcHx8fd7lcPT09lZWVCIKYzebBwcHBwUGPx5Ofn+92u8nLcRzHMGxoaGhkZMTv99+4cYMaf/eHw+Ewm80c25HznU4nuY7P5+vo6CDHW1tbN2/e7Ha7+/v7qR4TQ04T/VutVltVVUW1nBijo6NVVVVarZYaiX70wVhJtmrQixYNx/GRkZGYgmzZsmV8fBxF0XA4rNFouEPlmRQ9I8YsBEqBLTbGaxl3bGtr8/v9DodjYGDAarV2dXVRMzEMs9vtGIb5/f5du3YFAgGn0zk8POz1eqkDwzPIxKyp08JWagCSRXAKBoMikSgcDseMy2QyHMfJnzEMKy8vp187MTGRl5fn9XoRBAkGg9G/UigUDocjZj4588ePH+TLoaGh7du3U+M+n48c7+3tLSsrY9uOvo7dbifXiUQiYrE4ep2srCxyPoqi1DpTNNG74DhuMpmkUmlDQ4PH46HGPR5PQ0ODVCo1mUxUZXAcR1GUzJ2tkozVoBctOkiOgkRPYwuVjnEmY0ZsWQiUAmNsbNfSd4xEIiiKfv78mXxptVorKiqomaFQiBy32+0pKSkLCwvky6GhoR07dvAPMiZgtsHokTV4WhhLDUDy4vQYgiBOnz5dWlqq1+stFsubN28IgggGgwiCyP6QSqUKhYKc7HA4qqur8/PzyfGsrCz6X7ZQKCQSiSKRSMxGMTO9Xi/VA8RiMTXudrs5tuNYx+/3x6zDOJ+PYDCoVqtFIhE1IhKJ1Go19bZF6u3tPXLkCPWSXkm2anC/Q3EUhH4hPVSeSTFmxJiF0CnExMZ2Lf1Cv9+flpZGvfR4PNSnEMYTEvOSZ5AJ9Jg1e1qIvzkwAPAR/1nZixcvuru7S0pKlpaW9Hr91atXw+FwSkrKu3fvMAzDMMzpdGIYRk5Wq9WHDh2y2WwYhvX393Msu3HjRt73Wqz4b8cf97MyBEEmJydbW1ttNpvRaKQGjUajzWa7cuXK5OQkNRjzb4TolaR+9U+qQccYKs+ZjBkh7FkIlAJjbP/r1uZpQdZjqcHq+6uOhGGYUqkkCAJFUfrDru/fv0d//MEwjPE+hiAIhUKBYVjMIMd9DBJ1s9/X10fe7DNux7FOzLOyvr6+BJ6VtbS0oCiq1+sDgUBM/IFAQKfToSja0tJCbieTyagHNTGoSjJWI+4nU8aCxEzjCDUG28yYjDiyECgFxtjYrqXvyPGsjOd9DJ8gE7iPIdbeaSH+5sAAwF+cHuN2u2tra1+/fh0IBHw+X1NTU11dHUEQLS0tFRUVLpfL7/ebzWaj0UjOVygUXV1doVDI4/Go1Wq2HmMymcrLy51O59TUFPm5iYjXY06ePDk1NeVyuUpLSw0GA9t2HOsQBKFWq6PXSeBZmUaj8Xq9HBO8Xq9GoyEIwmaz7d69O24lGavB512DsSA4jotEIvJhetxQeSZFZcSRhUApMMbGdi3jn2NTU9Px48d9Pp/L5dq7d++jR4/oM7l7TNwgfT5f9MMoerKkiYmJ6F1iarvqp4Wx1AAkL06PWVpaMhgMKpUqLS1NoVBoNJqZmRmCIMLhsE6nUyqVGRkZx44doz5/2Wy2srIysVicl5en1+vZekwkErl+/bpMJhOLxWq1mvzcxNFjUBQ1m80KhSIrK+vcuXPU17P07TjWIQhiamqqpqYGRVGVSmWxWBL+PoaP9vb2jo4O6iVbJRmrEfddA0XRu3fv0gtCEITBYMjIyOjp6fnnGXFksZIpsF3L+OeI43hzc7NMJlMqlQaDgfwmg3+P4RNkOBwWi8UxX5LTg3n58mVJSQlbYdflaQGA4POdP0iMSqUaHh4WYmWBmuJKSiaFFUuf/0ZtbW3RX9fThcPhoqKi7u5utglwWsB6JVq5b37+z3z69Gm1QwArxGKxUP/shVF6evqzZ88OHDjANgFOC1iv4P+SASBZqamp+/bt457D0WAAWMegxwAAABDKBoIgVjsGAAAA6xPcxwAAABAK9BgAAABCgR4DAABAKNBjAAAACAV6DAAAAKFAjwEAACAU6DEAAACEAj0GAACAUKDHAAAAEAr0GAAAAEL5D5A960zDX/SpAAAAAElFTkSuQmCC)
Screenshot: ![comune.cardinale.cz.it vulnerability](/twimages/screen-1171933.jpg)
Mirror: Click here to view the mirror
Coordinated Disclosure Timeline
Vulnerability Reported: |
25 May, 2020 21:32 GMT |
Vulnerability Verified: |
25 May, 2020 21:47 GMT |
Website Operator Notified: |
25 May, 2020 21:47 GMT |
a. Using the ISO 29147 guidelines |
![](/images/done.png) |
— |
— |
b. Using publicly available security contacts |
![](/images/done.png) |
c. Using Open Bug Bounty notification framework |
![](/images/done.png) |
d. Using security contacts provided by the researcher |
![](/images/done.png) |
Public Report Published |
|
[without any technical details]: |
25 May, 2020 21:47 GMT |