Open Bug Bounty ID: OBB-1181764
Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:
      a. verified the vulnerability and confirmed its existence;
      b. notified the website operator about its existence.
Affected Website: |
panpnwatch.tarad.com |
Open Bug Bounty Program: |
Create your bounty program now. It’s open and free. |
Vulnerable Application: |
Custom Code |
Vulnerability Type: |
XSS (Cross Site Scripting) / CWE-79 |
CVSSv3 Score: |
6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] |
Disclosure Standard: |
Coordinated Disclosure based on ISO 29147 guidelines |
Discovered and Reported by: |
Tanzil |
Remediation Guide: |
OWASP XSS Prevention Cheat Sheet |
Export Vulnerability Data: |
Bugzilla Vulnerability Data |
JIRA Vulnerability Data [ Configuration ] |
|
Mantis Vulnerability Data |
|
Splunk Vulnerability Data |
|
XML Vulnerability Data [ XSD ] |
|
Vulnerable URL:
![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAT4UlEQVR4nO2dbUxT1xvAr7XWApcCFSpQnAW3zjDDiGMNOnVGF2cYIegQM8YUGUE0iISoQ+IYww0dolFmCB9mwoxxZjGEEUOca/jQkM5XVhlh2CDDioVBRSEVOyz0/+Hkf3J233pbWxB9fp967j33Oc/LuX3a03ueznG5XBQAAAAA+AHJTCsAAAAAvLRAjgEAAAD8BeQYAAAAwF9AjgEAAAD8BeQYAAAAwF9AjgEAAAD8xQuRY2JjY2/fvs3XBGY1EE0AeJWZ+Rzz559/Tk1Nvf3225xNYFYD0QSAVxw3OebevXvBwcGcp0ZHR48cOcLXFE9zc3NaWhpfc7YgxnwBZ3oqyjvu3bsXFhbmD8l8CEdTpEPE4Cun+c/5mOmcBl54+NGjRzt27IiIiFCr1V988cWzZ898GCafg3XDc9sLbV9kA18CvP8e8/jx46qqKr6meF6OHOO1+X4VNeNMWzR95bQXx/kzpUlOTs7ExITJZGptbTUajeXl5dOvA/AyIZ3Z4QcGBsxm89q1azmbwKwGojnrePr0aXt7e3d3d1BQEEVRJ06cyMrKKigomGm9eJFKpVqtlvMF8IIg6nvMqVOnYmNjFyxY8Nlnn42OjlIUNTo6qtFo7Hb7nDlzfvzxR7J54sSJ4ODgY8eOLVy4MCwsbPv27U+fPuWT3NzcvGHDhnnz5jGa6Nsrp5AbN26sWLEiICAgIiJiy5YtDx48oP7/bff48eOxsbFhYWGffvop0pNPDl//TZs2HTt2DA10+/bt+fPno+MURe3cuXP//v2cCjC8QVHU5OTkwYMHFy5cGBQUtGXLlocPHwo4k4Qtij0cUv7IkSMRERFRUVFnzpzhcwtFUQ8ePPjwww+Dg4PffPPN8+fPc0aBU9snT57s3LkzIiJi0aJFX3/99eTkJMNvQUFBW7duffjw4f79+yMiIhYsWLBjx44nT55wBpdPPYqivvvuO3aU2aMzFjTIdT+G0wR63rhxY/Xq1cHBwWq1+uOPP/7rr7+Enf/vv/9+/vnnwcHBixcv/uqrrzxygsAcJuH0DEMTTjVIhMdiTzm+/gEBAffv30cJhqKonp6e6OhoMQrz3VAURQ0MDHz00UfBwcGxsbHHjx93u1rLNlZAuFqtvnXrFnpx7do18ojX/Prrr+I7sGfU1q1bv/32W9xhxYoVaC69srjPMXa73WQyGY3G69evW63W0tJSiqJCQkK6u7tpmnY4HNnZ2WRz06ZNdrv9+vXrN2/evHnzZnt7e3V1NZ9wgYUyPiHt7e35+fmDg4OdnZ0xMTGFhYW4f0dHB9LTYrGUlZUJy+Hsn5qaqtfrUYdLly5NTU1dvnwZNfV6fUpKCqcCDG9QFFVdXa3X6/V6vdlsjo6O7urqEnAmCVsUp712u727u7uzs7OhoWHVqlUCbiksLFQoFF1dXS0tLXw5hlPboqIiq9Xa3t5++fLl5ubmuro60oS2tjaTyWS1WpcuXWqz2To6Oq5evdrX14fdzoimQNRu/h8yOnyjc8J2Gh+pqak5OTkWi6WtrW3VqlVyuVxYTmVl5fj4eEdHx+XLlw0GQ319vUdOEHMjcHqGoQmfGiQC85xzyrnV7c6dO/v27aupqRGjMMV/AxYWFspksp6eHr1ef/bsWSwnggU6zmksn3B/kJOTs379es5EdePGjfXr1+fk5OAj7BmVmZnZ1NSEzg4MDJhMpvT0dP9pOwtwCdLX10dR1NjYGGoajca4uDh8iqZpsidqokssFgs63tjYmJSUhF5bLBaNRoMvsdvtNE2PjIywmwJCSHp6eiIjI9l6trW1IT355PD1t1qtgYGBDofD5XLpdLqSkpKsrCzUX6FQTExMCChAekOlUrW3t4t3JqMbKYo9HJKD/SbgFqfTKZfLSfNDQ0PZ/dnaOp1OmqZ7e3tRs7m5OTk5GZvw+PFjdLytrU0ikYyPj2OLXn/9dfSaEVxO9fiiwzk6e76RtpBn+XqOjIxIpVIUXD4Y14aHh9vtdvTaZDLpdDrxThCYe8LxZWvCqQZDbTHzHE85t/dXf39/XFzchQsXRCrMd0OhGYhDSc7AfhZ8xvIJ9xUMA+12e1VVlVKpzMzMNJvN6KDZbM7MzFQqlVVVVVg9zhk1Pj6uUCiQb+vq6tLS0nyo6mzE/e8xNE3jlYfo6OiRkRG3l8jl8kWLFqHXS5cutVgs+HKj0Yi7XblyRafT4e/OjCafkD/++OPAgQNdXV0TExNTU1NTU1NsPWNiYrCefHI4+0dFRWm1WqPRGB8fb7Vay8vLtVrt5OSkXq//4IMP0LIPnwKY0dHRkZGRhIQEnziTcziaphlrDpzdhoaGKIoizWfL59R2aGhoYmIiNjYWX4juczR0SEgI9ptCoQgICMAW2Ww29JoRTT6ncUZHYPTnISwsLCMjIzk5ed26ddHR0UlJSe+//75A/0ePHtlsNo1Gg5pTU1NSqdQjJ/DNPRK300lADRIx85yccsK6ZWRkFBcXb926VbzCnDfU0NDQ1NQUGUosR61Ws4XzGct3dwuDvxtRFDU8PCxwkCQoKOjgwYMFBQW5ubnx8fHPnj2jKCo+Pj41NbW3txfHneKZUQEBASkpKU1NTXv27GlsbCS/9LyaTOtv/nPnzo2KisJN754oS09Pz8vLq6+vl8vl/f39Gzdu9K2SKSkper2+t7c3NTU1JCQkMTHRYDDghTLxCsydO9cn+ogc7jnd4ittMYxo+jtqIvnpp59u3brV2dlptVpLSkpWrlz5/fff83V2OBwSieTmzZv4PV0i8f1+MreemR41SAYGBjo6On7//XfvFBYJ+V6PGB4e5jR2YmLCuyFMJpPIgwzu3r1bXl5uMBgqKyvRkcrKypqamt27d1dWVi5ZsgT35JxRmZmZp0+fzs7Ovn79emNjo3fKvzwIf80RWKAQuVbW1NTEuczldDrDw8Pxl2hGk0/I0NCQVCrFQkwmE9KHT08+OQJ2GY1GnU6XlpbW0tLicrnq6uqKiooiIyOtVqt4BVQqlclkEu9Mvm6cw7HXLvi0YqyVNTU18a2VMbQVWCsTXrDC45LRFHAaZ3Q4Rx8bG5NIJOSCCd9amXBPUo2YmBjGQYaBNE1zrnmKcYKYucfnGUY3TjUYKnk0z4VvUqfTiZ0vUmG+gdAM7OvrQ8fFrJWxjRV54/iKgoICmqZLSkpsNht53GazFRcX0zRdUFDAeSGeUQ6HQ6lUnjx5cvPmzf7Tc7bgfY6x2+1SqRSvV+Immr4ZGRn9/f2dnZ2JiYkVFRVYAl67NBgMy5Ytw8cZTQEhKpWqrq7u8ePHZrM5PT1dTI5hyxGetSqVSqVSIVX7+/sVCkViYiJ5lq0AwxtVVVU6na6jo6O/v7+wsNBgMAgPSi7pMkSxh+NcH+fUyuVypaenk+ZzjsipbV5eXlpamsVi6ezsXL58eW1trVu/4SYjmgJR44sy5+g6nS4vL29wcNBsNq9atYocmuE0zp5dXV0bN25sbW212WwWiyUvLy81NVXY+QUFBcnJyehTanV1dWVlpXgn8Fk3NjYmlUq7u7udTqdA4EhNONUgNfd0ngvfpAyfiFFYwCcZGRnp6el9fX2dnZ0JCQlu0wPb2GnIMaS92dnZOCmy6evry87ORq/5ZpTL5crKylIoFD///LNv9ZyNeJ9jXC5XRUVFYGBgQ0MD2Tx+/DhN00ePHlWpVKGhodu2bcM/h5LS9u3bV1ZWhkUxmqgnpxCDwZCUlCSXyyMjI0tKStzmGE45wnZlZWVlZGTgZlJSEqkbpwIMbzidzgMHDoSHh8vl8vT0dPSBSFhJ0u2kKPZwnDmGT6v+/v4NGzbQNK3VamtqajhH5NTWbrfn5+eHh4fHxMRUVFSg9xeRb6+MaApHrbq6mh1lztF7enrWrVtH03R8fHxtbS3jjYZ0GmfPiYmJiooKrVYrk8lUKlV2dvbg4KCw8x0OR3FxcUxMTGBgYEpKCvp0Lz7H8M3h0tJSgfiyNXGrhqfzXEA3tkViFBbwyeDgYGpqKk3TGo3m6NGjbtMD21h/5xiBhxqE4ZxR6FRTUxNN06RXX1nc5BgvEBkwrVZ79epVvqbXUfdOGcC3MKL5ajKdc8/TsWbqvuju7lapVNM/LjCDzNg+/zt37gg0gVkNRBPgxGQyxcXFzbQWwLTigwdUoHi7eG7fvr1r1y7GQXDgjBMbG3vr1q1PPvnkn3/+mWldXjYOHz585syZ4eHha9eulZWVvciVaQB/8Lw5Boq3e0ROTg5+9h8BDpxxUAjeeecdmUy2b9++mVbnZWPt2rV1dXUxMTHZ2dlFRUXbt2+faY2A6eU519q++eabwsJCT6/y4c8tfn2K8flB1XPRa5vNJpFIGLuCSQfW1tbGxcXJZLLExET05DSG3IQokUg0Gk1lZSX+HZ4d1pMnT6JTEokEPSdGiiIfkCWviomJKS0txeUM2GFiOLy2tlaj0QQGBup0Or1ez6ktW6xbSwUGdWsR5yTv6urCnc+dO6fVapHrGCFob2/H2+wBAPAJz5tjdDrdlStXPL3q1ckx7Id/GB2wA9H7tV6vHxoaOn/+vFKpJN9J0bUOh8PhcIyPj6MaG+SjtI7/QqafuLg4XP3CxbXJCYvt7OxcuXLloUOH+BQmr0V5Aj24efHixfDw8La2NjFixVjKN6hbi9Cg3d3doaGh6PWePXu2bduGOyckJOAnIRkhgCdEAMDnPFeOsVqtoaGh7CpeboEcgyAdGB0d3draik+dPHkSP2vPeW1bW1t8fDznKfKqwMDA5cuXk7vG2DmGvMRoNC5dupTvLHktQ+H6+nqssLBYTy1lKCxsEfuI1WqlaRrteGhpaYmLiyO/xJAhgBwDAD7H/e8xAqW5yeLtfMXYOStyM+AsI/88xeoxwrX9GeXxhU3wooo7u1Y8A+zA0dFRq9WKKigj1qxZg6s1cyKXy51Op7D5FEVJJJKzZ882NDT89ttvbjtTFCWTycSU7mArnJube/r0abdivbCUgacWRUVF5eTkoLrCR48eLS0tJQvnMP5dAuO2wDsAAGJwn2P4SnNT/61JxVmMXWRFbs5rPS1Wz1cqXKDmOaM8Pp8JXldxd1tzHjvQbrfL5XLynU6hUIyNjfEFZXh4+NChQyJrhr/11lsVFRW5ubl8OR7z6NGj8vLyvLw8tzLZCs+bN2/x4sVuxXpqKSfiLUKUlpaeP3/+l19+6evrY9Qo5KuSJ1DgHQAADxD+miNQmpss3s5XjJ3iqchNLkrwlcYiEVOsnrP8UZ9gzXOy8ryACV5XcXcJrpUx/suAsUrT29vL2D1OUVR4eHh4eLhSqZTL5QUFBejxAfIUAj9EgMU6nc7k5GT0swT75w0sViKRbNy4kRyUb9mKUbIBSSDjyydWjKXCa2XCFrEvQRQUFMjl8rq6OvIg4w8IyKE5C7wDAOApbvZgCpTmJou38xVjF1ORm+9aT4vVc5YKpwRrnpPrfgIm+KqKOwPSgVKplLHwxS7hHhgYiErGSiQSlUpFLvjgU7jJGGvu3Llnz55NTEzcvHlzYmIip1iKonp7e4uLi0+dOrV3715h5UmFDx06VFxczCjByydWjKViELCIk927dzc0NOTm5pIHGX9AQMJZ4B0AAE/xfn+MyFL8XpOenr5mzRqDwWAymVpaWtz251sre2EhHYjW08g3srGxMYVCQfaXSCRqtVqtVkdFRTFK8eNTCM43zTfeeKOqqio/Px/nRfa1q1evrq2txX86if6ujfxnX7vdjhIYqXBISIharZbJZGRu4xPr1lKBQUVaxIlCoZBKpfPnzycPCs/hu3fvogqhuMA7AACe4ibHqFQqiURy79491Ozu7kYvJicnL126hO9PlUolk8n+/vtv3I2x01B4CPa1w8PDVqv1yy+/XLJkiVqtxv+Jq1KpKIq6f/8+aprNZizHxAIddzgcZP/XXntNvBoiTRA/CobhwJCQkOjo6La2NtwBPTYmXgEx7N27Nz4+Hv+yxQn5PSMiIkKpVF69ehWfNRgM6N/MkMLkP861trZy/i0bQ6xbSwUG9c4iPhghYLBr167ExMTIyEiz2Xzw4EEv5AMAQFEi9mByluZmF29nF2MXqJbKqBbOWcjd02L1nPSJq3nuhQmu//44wTmK678V2i0Wi1wuR8fZDsS7Rmw224ULF9zuGmGc4tsfw/7xg6Zpzv0xDoejq6trzZo1u3fvxv1Pnz6t1WoNBgPaBKNUKvEmGLw/Zmho6Ny5c0ql0mg0ihErbKnwoG4t4owU54XsEPT09OCrhAu8AwAgEvc5hrM0N7t4O7sYu/AbNFktnLOQu0fF6vkQWfPcOxNEVkonK7TL5XKUb9gOdHm4+508xf7ogPf5s6+qr6/n2+evUqny8/PxYxqIEydOaDQamUy2bNmyxsZGhsLo1PLly8ktL27FClgqPKhbi3A3tzmGHYKLFy8mJCSwlQEAwGs824OJS3PPluLt07OrTvwoRUVF69atc80eB77EMELgcDg0Gs0PP/wwgyoBwMuHZ8/z4NLcULzdO2pqatAPReDAGYcRgvnz5587d+69996bKX0A4KXEfY45fPhwdHR0Wlpab29vWVlZeXn5NKj1sjJv3rx33313prUAuIEEAwA+x/2zy1CaGwAAAPCOOS6ecugAAAAA8Jz44H8wAQAAAIATyDEAAACAv4AcAwAAAPgLyDEAAACAv4AcAwAAAPgLyDEAAACAv4AcAwAAAPgLyDEAAACAv4AcAwAAAPgLyDEAAACAv4AcAwAAAPgLyDEAAACAv4AcAwAAAPgLyDEAAACAv4AcAwAAAPiL/wGKHZsfYgbgVgAAAABJRU5ErkJggg==)
Mirror: Click here to view the mirror
Coordinated Disclosure Timeline
Vulnerability Reported: |
2 June, 2020 14:16 GMT |
Vulnerability Verified: |
2 June, 2020 14:29 GMT |
Website Operator Notified: |
2 June, 2020 14:29 GMT |
a. Using the ISO 29147 guidelines |
![](/images/done.png) |
— |
— |
b. Using publicly available security contacts |
![](/images/done.png) |
c. Using Open Bug Bounty notification framework |
![](/images/done.png) |
d. Using security contacts provided by the researcher |
![](/images/done.png) |
Public Report Published |
|
[without any technical details]: |
2 June, 2020 14:29 GMT |
Vulnerability Fixed: |
7 July, 2020 16:34 GMT |
— |
— |