Lucene search

K
openbugbountyDracutdashfOBB:1180044
HistoryJun 01, 2020 - 11:13 a.m.

kimlongdongthap.vn Cross Site Scripting vulnerability OBB-1180044

2020-06-0111:13:00
dracutdashf
www.openbugbounty.org
10

Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:

&nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence;
&nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence.

Affected Website: kimlongdongthap.vn
Open Bug Bounty Program: Create your bounty program now. It’s open and free.
Vulnerable Application: Custom Code
Vulnerability Type: XSS (Cross Site Scripting) / CWE-79
CVSSv3 Score: 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N]
Disclosure Standard: Coordinated Disclosure based on ISO 29147 guidelines
Discovered and Reported by: dracutdashf
Remediation Guide: OWASP XSS Prevention Cheat Sheet
Export Vulnerability Data: Bugzilla Vulnerability Data
JIRA Vulnerability Data [ Configuration ]
Mantis Vulnerability Data
Splunk Vulnerability Data
XML Vulnerability Data [ XSD ]

Vulnerable URL:

![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAARGUlEQVR4nO3dbUxTVx8A8CsULNCCvLTy5gTHKmNEGbION3SMkI1VQqpDyLSbLiPqCDNKkChjjmmmTqdxhDA+OKOGMGe2hhBjyNKoYYQ4RKysIiJDqLWgUkZZZQWh9/lwnp3n7r71traiz/6/T/fce+45555zek/vS0/nkCRJAAAAAF7gM9sFAAAA8H8LxhgAAADeAmMMAAAAb4ExBgAAgLfAGAMAAMBbYIwBAADgLU/FGBMfH3/t2jWuIPh3Qt3g2rVrH3/8sdPIAqMBmpmZma+++urWrVuzXZDZIfDwHz169N577927d4+2TAMnLlazP8b89ttvDodj6dKlrEHw74S7wcaNG+Pi4pzGFxgN0Pj6+jocjrKystkuyOwQePh+fn7+/v4oGnWZCk5cXJyMMYODg1KplHWT1Wrdv38/V1C4pqamvLw8rqC3cR0gz4G7mpQHDQ4OhoaGejZNasM9gUMQCHUDi8XS1dW1bds26qYHDx74+fn98ssveA01Gj4Eb9SVtwkvvNstxfyclpeXm0ymX3/9lSujJ1CNXGcP93J3Wjnbt28PCAg4efIkwXb4rK2wbds2nU7HXMae8InrGeL+dczY2Ni+ffu4gsLN7hjDZeHChSMjI7NdiifB7YbzKtQNbDZbYGDg3LlzqZtOnz4tkUgaGhrwGtZogBWzuX19fa9cufLqq6/OVpGIJ9sJLRZLdXX1pUuXNBoNIfjww8LCbDYbcxl7Sk5cT6FZvlc2NDTU29ubmZnJGpxdcM6aLfzdoKGhoaamprGx8dGjR8ytIpFIoVBQF54hz3ThnxXoG8nSpUt9fX1ZI7jRCk/VietpI2iM+eabb+Lj48PDw99//32r1UoQhNVqjYuLs9lsc+bMOXnyJDV45MgRqVR66NCh+fPnh4aGbtiw4a+//uJKuamp6a233vLz86MFV69efejQIbTy2rVrc+fORfkSBLF58+YXXniBZ+uOHTv4d9+xYwdrYa5fvx4eHo5uwlAvt9Hy4cOH4+Pjg4KCCgsLLRbLjh07ZDJZeHj4hx9++PDhQ2ZqDx8+3Lx5s0wmW7BgwRdffDEzM0NLKjQ0dP369bhgQ0NDq1atkkql8fHxhw8fxhfpd+/effvtt6VS6eLFi6lf3j2SPq0duZqbIIjLly8vX748ICBAJpOtXbv27t27ODv+ti4sLPzyyy9xcPny5SdPnuQpJ7NXUP3+++8mk2n9+vWpqannzp1jRoiJibly5QpawDdAXK2rycnJjz76SCqVLly48PPPP6fG379/v0wmi4qK+u6775hr+POixRRYeNaapxFYYNbmZmLtcqyHwFW2mZmZXbt2zZ8/PygoaO3atRaLhXb/inobilYqrg7Pldfly5dXrFghlUpjYmLefffdGzduoPWs3dhisTitAdZW4MfTY4HzMcZms+n1+ra2tvb2drPZvHPnToIgQkJCenp6JBKJ3W7XaDTU4OrVq202W3t7e0dHR0dHR2dn58GDB7kS57pRlpubi+94nj171uFwNDc3o6BOp1Or1TxbVSoV/+4qlYpZEqvVumbNmgMHDqxYsYKrElpbW/V6vdlsTkxMHBkZ6erqunTp0sDAQEVFBXOXrVu3ms3mzs7O5ubmpqam2tpanFRXVxeqT6PRiPctKSnx9/fv6+vT6XSnTp3C6ZSUlAQHB3d3d587d476kfNI+rR2JDiamyCIzs7OTZs2DQ8PGwyG2NjYkpISnB1/WxcUFDQ2NqLloaEhvV6vVqt5yknw3naor69ft24dQRAajYZaG/xcras9e/ZMTEx0dXU1Nze3tLTU1dXh+D09PQaD4cSJExkZGaxrePKixZQxsBaeq+apBBaY2dysuLoc8xC4ynbw4EGdTqfT6Xp7e6Ojo7u7u3lah1Yqrty58srNzd24caPRaGxtbc3IyBCLxQR3Nw4PDxdSA66CG2V8SF4DAwMEQYyPj6NgW1vbokWL8CaJREKNiYJoF6PRiNZrtdq0tDS0bDQa4+Li8C42m00ikYyOjjKDZrM5MDDQbreTJKlUKktLS9etW4cSDw4ONhqNPFunpqb4d5+ammIWW6VSFRcXM9fjIxobG0PB1tZWHx+fiYkJXCcJCQm0XaanpyUSSX9/Pwo2NTWlp6cz67O1tRXV5/T0tFgsxvG1Wu28efPwempl4vUeSZ/1SFmbm6qvry8yMpK/rbGJiQnUZCRJ1tbW5uXl8ZST/Gc3oPUxkiQVCoXBYEDJyuVylAIzGpWrdUWSZEREhM1mQ8t6vV6pVOL4uLuyruHPixqTJEkTA9chYNSapx6ywAI7rSuSu8uxpsZaNpIk5XJ5Z2cnT74DAwO4B1K3cuXOldfo6KhIJEKfdGpqPN3YaQ2won1MqCnQzmOARuR0EJJIJPgiNzo6enR01OkuYrF4wYIFaDkxMdFoNOLd29racLSff/5ZqVTiS2ZqMCoqSqFQtLW1JSUlmc3m3bt3KxSKmZkZnU6XnZ29YMECnq1+fn78uzMvaT/99NPm5uZjx47xVEJISAhajo2NDQ4ODggIwAfFfDvg/v37U1NT8fHxuBJQv6fVZ2xsLKrP+/fvOxwOanycDkEQ1Mr0bPqsR8ra3FevXi0vL+/u7p6amnI4HA6HA63namssICBApVI1NjZ+8sknWq1248aNPOUkGL2C6vLlyxKJ5KWXXkLJ5uTkaLXaDRs2cB2Le3X1xx9/jIyM4DehHQ6HSCTC8WkFo63hz4u2b0xMDH/JEa6ax1wqsFNcXY41NdayWa3W0dHRJUuWuJSv09xZ8woNDc3Pz09PT8/KyoqOjk5LS3vjjTcIt85abuPpsYAgCOdjjAf5+vpGRUXhIP8bZSqVSqfT9ff35+bmhoSEpKSktLS04Dtd/FuFRMAmJia0Wu3p06dLSkrWrFmDxxJApVari4qK6urqxGKxyWTKyckRvm9BQUFNTY1Go2lvb9dqtfyR+W+UdXd343tKdrvdbDY7HWNcZbfbfXx8Ojo68Jnax8crr8Ywb449ePCAGc1pzT+xArtUNq4n6h7P6/vvv79y5YrBYDCbzaWlpa+99toT/rkP3Cjj55W+aLfb79y5g5Z7e3ufe+45ZpyZmZmzZ8/itqEFib8fyeD2U6vVjY2NFy9eRIME/1YhETAfHx+tVrt27VqlUllZWemRGpDL5f7+/rdv30bBnp4e/l8IyuVyHx+fwcFBHB+vJwiCWpmeTV+gBw8emM3mzz777Pnnn4+JiUG3vBEhba1SqfR6/alTp7Kzs/l/uMDsBtRNZ86caWlp0f+tu7u7o6NjaGiIv/Cu1lVUVFRgYODo6GjM36hfjDyYl56BGYen5j1SYNZDINi6nPCyhYSEhIWF0X7xHhYWNjEx8eeff6KgyWRyKXf+eli2bNmGDRt27dp1/Phx/PDvyeDpseC/+G+l8dxFtdlsIpGot7eXFkQ3B/Lz800mk8FgSElJqaqqwingO6ctLS3Jycl4PS2IyOVyuVyOdjGZTMHBwSkpKQK3Oo2A1lMPsKenRywWd3V1kby3X5m3klFwfHxcJBL19PRMT0+TJFlUVJSXl2c0Gg0GQ2pqanV1NX9S+fn5arV6YGDAYDAsWbIEr1er1dTKxOs9lT61HXl2l8vltbW1Y2Njvb29arWaeo+eta1pt8jXrVsXHBx85swZ/iqldQOj0SgWi9Fyc3NzUlIS+U/5+flHjhyhRmPlal1t2bIlPT0dfTU+ePDgnj17mPFZ1wjMyyWsNU/rbAILTDI+tqxYuxxraqxlI0ly3759SqWyq6vLZDKVlJS0tLSQJKlUKouKioaHh3t7ezMyMqgfImqpuDo8a17d3d05OTnnz58fGRkxGo1FRUW5ubkCn/24pK+vDydCXWY9cQEq969jgoKCKisrU1JS0CuAOPjTTz9JJJK0tLTU1NSMjIwlS5aUl5ejXQYHByMiItCykJ9eZmdnr1y5Ev1OJSYmRqFQUK9C+LfyR6CWBFu8ePGmTZtY39sRQiqVlpWVpaam1tfXEwRx9OjRyMjI1NTUnJycvLy84uJi/t1ramqmp6eTk5Nzc3PRq1N4/fj4eGJi4po1a6hvwngqfVo7cvnxxx+PHz8eGRm5cuXKRYsW4fWsbc2s3oKCAofDkZuby19IWjdA32rRdFINDQ3M3VUqVX19PTUaK1fr6ujRo+np6Tk5OQkJCRcvXnTpBSRX83KKteaZnU1ggYU0N1eXE1g2giDKy8szMzOzsrISEhJMJlNSUhJBEA0NDf39/QkJCWq1uqCggKtUXLmz5pWQkJCenr5lyxb0MMZut/M8VX0cer0eX6NTl+FGmXMeH7UEfk1QKBSXLl3iCv7L9fT0yOXypz/9x/l6zorZDbZu3ZqVleV0R4HRAHCD3W6Pi4s7duwYbZmEE5cAT/SZP9XNmzd5gv9yer2e+q3wmUvfbcxu8PXXX7M+qHAvGgBumDt3bn19/euvv05bJuDEJcCsjTGAZu/evdHR0Xl5ef39/RUVFbt373620vcSPz+/V155xVPRAHAPHlRoy8Cp2Z/bHyCZmZm1tbWxsbEajWbr1q0efyXX2+kDAADTHJIk+WMMDg7i9y9FIlFiYmJlZWVhYSH/Xtu3b6+rq6urq3P1XDY4OJicnIzfcbRarbW1tbt27XIpEQAAAE8DQWNMcnIy+in7+Pj4+fPnS0pKTpw4sWrVKq5dLBYLmkwiOTnZ1Z9i0cYYWhAAAMAzROjzGPQGsEwmKywsHBsbq62t5Rlj8OzZnikjAACAZ5M7z2OUSqXBYCA4ZhRnzp7NnJSbZ6JvKp6pyIVP9M01//zt27eDgoKuXr2KyhwaGnrhwgU3agMAAAAXd8aYsLCw8fFxgmNGcebs2UImJ2fFMxW5qxN9M+efj4+Pr6ioQH/Qu3v3bpVK9eabb7pRGwAAADg5/QUN6xQaaCoF1hnFWXfB0KTcPJM9cP1lAA8hE32zzj8/NTWVmJhYVVUVERExPDzMnwsAAABXuf/7GJ4ZxWmcTk7uBpcm+uaaf97Pz6+mpiY7O7u6unr+/PmPXyoAAABU7owxo6OjwcHBwmcUf5xp4bl4aqLv4eFhHx+f4eHhxy8SAAAAGnfGmPb29uTkZDyj+Msvv8wTGU/KjYLoHWg80Td68s810bdLaWLLli1btmwZQRDoT5fLysrQ/PPoUoY6/7zVai0rK2toaCguLtZoNC+++KJLxQAAAMBP6DP/ycnJyclJi8Xyww8/VFZWotlkNRpNcXHx9evXh4aGDh06tHfvXuaOMpksLCzs22+/tVqtt27dqqqqIghCKpWmpaWVlpbeu3fv1q1b+N+2CYIICwuz2+03b95Eb6lFRETY7XY8pe7k5CRXmgRB3Lhx45133rlw4YLFYrlz505NTU1KSgraVFpaevfu3evXr1dVVeHpeysqKlauXFlYWFhaWvr48+MCAACgc/rEBv9ZLEEQIpEoKSnp9OnTaJPdbt+2bVtsbGxgYKBKpcJ/Y057UN/S0pKWliYWiyMjI0tLS9Hj/b6+vqysLIlEkpSUVF1dTf2Dh507dwYGBp44cQIFq6qqUJCaLGuaU1NTVVVVCoXC399fLpdrNJrh4WG014EDB+Ry+bx58z744IOJiQmSJDs6OiQSCXoXAM2leurUqcd+vgUAAOB/nP/O/1kHMwUAAMBsgTkxAQAAeAuMMQAAALwFxhgAAADe8v//PAYAAMBsgesYAAAA3gJjDAAAAG+BMQYAAIC3wBgDAADAW2CMAQAA4C0wxgAAAPAWGGMAAAB4C4wxAAAAvAXGGAAAAN4CYwwAAABvgTEGAACAt8AYAwAAwFtgjAEAAOAtMMYAAADwFhhjAAAAeMt/ADyieJLiIq3+AAAAAElFTkSuQmCC)

Mirror: Click here to view the mirror

Coordinated Disclosure Timeline

Vulnerability Reported: 1 June, 2020 11:13 GMT
Vulnerability Verified: 2 June, 2020 11:11 GMT
Website Operator Notified: 2 June, 2020 11:11 GMT
a. Using the ISO 29147 guidelines
β€” β€”
b. Using publicly available security contacts
c. Using Open Bug Bounty notification framework
d. Using security contacts provided by the researcher
Public Report Published
[without any technical details]: 2 June, 2020 11:11 GMT