Open Bug Bounty ID: OBB-1172602
Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:
      a. verified the vulnerability and confirmed its existence;
      b. notified the website operator about its existence.
Affected Website: |
noovindoor.ir |
Open Bug Bounty Program: |
Create your bounty program now. It’s open and free. |
Vulnerable Application: |
Custom Code |
Vulnerability Type: |
XSS (Cross Site Scripting) / CWE-79 |
CVSSv3 Score: |
6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] |
Disclosure Standard: |
Coordinated Disclosure based on ISO 29147 guidelines |
Discovered and Reported by: |
geeknik |
Remediation Guide: |
OWASP XSS Prevention Cheat Sheet |
Export Vulnerability Data: |
Bugzilla Vulnerability Data |
JIRA Vulnerability Data [ Configuration ] |
|
Mantis Vulnerability Data |
|
Splunk Vulnerability Data |
|
XML Vulnerability Data [ XSD ] |
|
Vulnerable URL:
![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAO9ElEQVR4nO3dbUxT1xsA8GuprMAtr22BUgc1GxJiGHOEYYKbU6OEEdIp4uYqsI0wMOiMYYTixhgqKhtLRgzhw1wcWVxiFkMIWZxhbmkIUd7sWINYAUtXawcFqV5Y6aD3/+FmN/3ft9baS3E8v089h9Nzzn2a9NBz2+esw3EcAQAAAHggCPQEAAAA/GfBGgMAAIAvsMYAAADgC6wxAAAA+AJrDAAAAL7AGgMAAIAvq2KNUSqVv//+O1txjYNoAACeXYFfY/744w+Xy/XSSy8xFtc4iAYA4JnmYY2ZnJwUi8WMf7Lb7WfOnGEreq+zszM/P5+t6HccV8TxlKioqIBMg4zGzMzMoUOHpFJpQkKCRqP5559/OJ7F1nhxcfGdd95xH5echm/X6EMwAQBriu+fY+bm5hobG9mK3lvhNSYxMdFms/HXv3+nQUajqKjI5XLpdLrr16//9ttvDQ0NHM9ibLy4uJiTk7O0tOSvS0BWTTABAKsXzsloNKIo6s2fOFpysFgskZGRTqeTsbhKGI3GyMjIlR+XjAaGYQKBYG5ujqjv6elJTk5mexZbY6PReOrUKcrLZDabt2zZQjzIzMzk8WIAAGuSV59jvv76a6VSGRMTc+jQIbvdjiCI3W5PSkrCMGzdunXfffede/Grr74Si8VffPFFbGxsVFRUcXHx33//zdZzZ2fn7t27169fTykSmzDNzc1KpTIqKurdd98lxkUQZH5+/sMPP5RKpRs2bPj888+Xl5c56g8cOHD69GlyuK1btxLTI4oco9y/f3/Pnj1isXjTpk2XLl0ie/B+dKLzM2fOSKXS+Pj4CxcuuF+4+y4TW0syGjabLTQ0NCIigqhXKBRTU1MIgty7dy8sLOzWrVsIgszMzERFRf36669sjRMTE0+cOEGJf0JCwuDgIPHg5s2bROXPP//M9nqRiDbuW21kJMPCwg4cODAzM/Pxxx9LpdKYmJj33ntvfn6efO6DBw/efPNNsVisVCqbm5vpe3T9/f3btm0Ti8UJCQn79u27ffs2W4iWl5c1Gk1sbGxYWNj+/ftnZmYYZ8sYKI/XCAB4ep7XGAzDdDpdb29vX1+fxWKpqalBECQiImJ0dBRFUYfDoVar3YtvvfUWhmF9fX0DAwMDAwNDQ0NNTU1snXNslGEYNjw8TIxrMplqa2uJ+qNHj1oslqGhoatXr3Z2dra2tnLUFxYWdnR0EA0ePHig0+l2795NuTrGUSorK8PDw0dGRn766Sf3NeaJRscwbHR0VK/XX7x4MTs7mzvI9JYetw2VSmVtbe2xY8cQBKmrq8vNzX3jjTc42nuppKRk586dxNpD19/fv3PnzpKSEvol6HS6np4enU5nsVhSUlJsNtvw8PCNGzeMRiMZWARBKisrg4ODx8bGuru729vb6UPk5eWVlJSYTKaenp7s7GyRSISwhKipqam7u7u7u9tgMMjl8pGREQRBpDQ8BQoA4Bn3xxyj0YggyKNHj4hib2/vxo0byT8x7pURTzGZTET9lStXMjIyiMcmkykpKYl8CoZhKIrOzs7Si5Rxe3p6iHGXlpZQFJ2YmCDqOzs7s7KyOOoXFhbCw8OJybS2tubn57tPm2MUkUjkfgnEXtkTjU50Tl4dPbCUaVBaUqJBCTW5d+d0OlNSUurr6yUSidVq5W5M/ysjDMMaGxujo6MLCwsNBgNZbzAYCgsLo6OjGxsbMQzDaS+6+wadQCBYWFggir29vS+88ALxmIgtGSsytqTZ2VmhUOhwOCjhYgymTCYbGhqiVJppGAMFAFgBQo+LEIqi5K6OXC6fnZ31+BSRSLRhwwbicUpKislkIp/e29tLNrt27VpmZia5VUIpuo+rUCiIcaemppxOp1KpJDsn3n3Y6kNCQnJzczs6Oo4cOXLlyhX6f99soyAI4n4JxIMnHR1FUS+/rEVvSYkGm/Xr158/f37Xrl0tLS2xsbHejOVRWFiYRqMpLy9///33U1NTya+lpaam5uXlTUxMkBtxlEtw36ALDw8PCQkhinK5nPxqwNTUlMvlco8VpZ+oqKiCgoKsrKwdO3bI5fKMjIzXX38dYQqR3W6fnZ1NS0uj9JCQkECfHh+BAgB4tKK/jwkKCoqPjyeLK/ONMmK77OHDh319fbx+Y82/vI+G1WoVCARWq9WPo4+Pj1dWVmq1WvcvsDU0NGi12sOHD4+Pj/txLLoffvjhm2++SUtLczqdx48fP3LkCEfjoKAgSg19r4yo5yNQAABuvKwxDofjzz//JB4bDIbnn3+e3mZ5ebmrq4t8G6UU2chksuDg4Hv37hHF0dHRpKQkjnoEQXJzc3U6XXt7+65du7z8MYdMJkMQxP0SfB7dN5RoSCSShYUF8vsIZrOZmCGCIHa7vaqq6tKlS21tbbdv3+Zu7KWKior09PS4uDiDwaDRaMh6jUZjMBhkMll6enpFRYVvlyaTyQQCweTkJFEcHR1lbPbKK68UFxdrNJpvv/2WvKNGERERER0dTU+CoKNBmAIFAFgJ3FtpHJv7GIYJhUJyv54sEttEBQUFZrNZr9enp6fX19eTPZD77FqtdvPmzWQ9pcgxbmlpaX5+vslk0uv1W7ZsaWlp4a7HcfzgwYPh4eGXL1/GaTdC2EZRqVTul+DD6Gx3PogIcEyDHg0cx3NyctRqtcViMRgM2dnZn3zyCVF/+PDhwsJCHMdPnTq1fft27saMY9Gp1Wqj0cjRwGg0qtVq/P/vx3DfBHIvFhQUqFQqo9Go1+vT0tIo92NGRkZycnKuX79us9lMJlNpaWleXh7btBsbGzMzM4eHh81mM/HBi23OjIECAPDN9zUGx/H6+vrQ0NCLFy+6F5ubm1EUPXv2rEwmi4yMLCoqIu/9uvdWVVVVW1tLdkUpcq9tZWVlEolEoVDU19cvLS1x1+M43tHRgaIoMQ0v1xiz2bx7924URZOTk7/88ksfRmd8W2R8U6a3pEQDx/GpqamDBw9GR0fL5fKamhriJ0QDAwMoihLfTXA4HElJSe3t7WyN2cZ6Gr6tMVarNS8vD0XRpKSks2fPUtYYp9NZX1+fnJwcHBwsk8nUarXVamWb9tLSUnV1tUQiEYlEKpXKZrMxzpMtUAAAvq3Dcdy/H4wmJyc3b978+PFj7mabNm1qb29/9dVXGYtr3NqJxp07d1577bW//vor0BMBAPDC8/fKeHLnzh2O4hq3dqKh0+k2btwY6FkAAPgS+LzLz4Tl5eVz587dvXs30BN5VrkH8OTJkxcuXJienr5582ZtbW15eXmgZwcA4AusMV4JCgpyuVxVVVWBnsizyj2A27dvb21tVSgUarX66NGjxcXFgZ4dAIAv/l9jEhMTPd6MWTE+J5+nH1VQXV1tNpvJpF5881fa/JVJv+/NyQ5kALdt2zY4OLi4uHj37t2PPvqI0uwpjxsAAKwq8DmGGf2ogqCgoMHBwbVwH94H3pzsAAEEYA2CNQasLkKhMDk52f0BAODZ5XmNYctaz5gSH0GQxcXFDz74QCwWJyYmfvbZZ4xZ7hlTtTOmzefOkO+uv79/69atISEhUql0//799+/fp7ehz41xCMrJBd5HhuyN8WgDjtHZgnnu3DlKP5S9L/cNJY6c+fR+uOdP759jnu7hKioq2rNnD/n0EydOcNxuYTxEwOfjBgAAq5DnNYYtaz1jSnwEQRoaGhYWFoaHh69evarVatva2hCmxOz0Gra0+fSWjAmphoaGysrKrFarXq9XKBSVlZX0a2GcG30IyskFTxQZojfGow04RmcMJoZhA//iPiKBwJYzn60ftvmzYZune7hOnz6t1WrJG3KdnZ179+5l65D7EAHfWgIAVhfun2hyZK2np8QnSCQSIvE7juM6nS4zM5OemJ1ew5Y2nzGpO2PydndjY2NxcXE47ffn9LmxDeHx9/DcE2Y82oBjdHow2fph+0U9W858tn445s/YP/eL7v6srKysH3/8kaykZOl3x3aIwNO0BACsKh5+g8mRtZ6eEh9BkIcPH9psNjIjpMvlEgqFCFNidkoN20CMz2VM3n7r1q3q6uqRkRGn0+lyuVwuF6UB29wYh/CIY8KMRxtwj84YTLYjEtjmw5Yzn7EfjvmzYZsnhUql6urq2rdvX1dXV25u7nPPPcfWIdshAk/TEgCwqvj5d/4Oh0MgEAwMDJBvoAKBwOl0+ncUMls7aXp6WqVSlZaWtrW1iUQis9mck5Pjzdz8OzEOgR19Je3du5fY0uzq6qIf2EMxPj5eV1dHOUTgKVsCAFYPD2sMmbWe+IfXY9b6+Pj40NDQ2dnZl19+mawkE7n7ayAiW7u76elpi8Xy6aefEkXyRCyPc/MZx4SJow2Ijw7k0QY+jM7YT3R09MLCwuPHj4mPFGazmZwPkTM/MTER+f+c+Yz9sM2frX/vvfjiizKZ7Jdffrlx48bly5c5WlZUVHz//fdlZWUGgyEmJsYvLQEAq4vH3TSPWespWXXLy8uzsrL0er3FYmlqampoaKDf22C828GYNt/7PMEymay1tXVubs5gMKhUKmJKjx49EgqFo6OjRIJk+tzYhqCcXOBlZPB/71swHm3gzeiU+x+M/WRmZpaWllqtViJ1Pxl8xpz5HP2wnVPA2D/3i04JV11dXVpaWl5eHvdL5vEQAR9aAgBWFc9rjMes9ZS3G4fDcezYMYVCERoampubOzEx4eUaw5g23/s1RqvVZmRkiESiuLi448ePk1OqqakhDyCgz41jCMrJBd5EhuyN8WgDb0Z3X2NQFG1qaqL3MzY2tmPHDhRFU1NTW1payCtlzJnP0Q/bOQWM/XO/6JRwER80OUIHAFgj/J/bf43z8mgDvgU2Z/78/LxEIrFYLJAMBoA17r952xkENmf+tWvXsrOzYYEBAATs/BjgdydPnpTL5fn5+RMTE7W1tXV1dQGZht1uP3/+/Ntvvx2Q0QEAqwp8jvnvWCU588kbPwEZHQCwqsD9GAAAAHyBzzEAAAD4AmsMAAAAvsAaAwAAgC+wxgAAAOALrDEAAAD4AmsMAAAAvsAaAwAAgC+wxgAAAOALrDEAAAD4AmsMAAAAvsAaAwAAgC+wxgAAAOALrDEAAAD4AmsMAAAAvsAaAwAAgC//A7UsV9NbXDzOAAAAAElFTkSuQmCC)
Screenshot: ![noovindoor.ir vulnerability](/twimages/screen-1172602.jpg)
Mirror: Click here to view the mirror
Coordinated Disclosure Timeline
Vulnerability Reported: |
26 May, 2020 13:40 GMT |
Vulnerability Verified: |
26 May, 2020 13:50 GMT |
Website Operator Notified: |
26 May, 2020 13:50 GMT |
a. Using the ISO 29147 guidelines |
![](/images/done.png) |
— |
— |
b. Using publicly available security contacts |
![](/images/done.png) |
c. Using Open Bug Bounty notification framework |
![](/images/done.png) |
d. Using security contacts provided by the researcher |
![](/images/done.png) |
Public Report Published |
|
[without any technical details]: |
26 May, 2020 13:50 GMT |
Vulnerability Fixed: |
3 July, 2020 16:36 GMT |
— |
— |