Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:
      a. verified the vulnerability and confirmed its existence;
      b. notified the website operator about its existence.
Affected Website: |
qspace.qu.edu.qa |
Open Bug Bounty Program: |
Create your bounty program now. It’s open and free. |
Vulnerable Application: |
Custom Code |
Vulnerability Type: |
XSS (Cross Site Scripting) / CWE-79 |
CVSSv3 Score: |
6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] |
Disclosure Standard: |
Coordinated Disclosure based on ISO 29147 guidelines |
Discovered and Reported by: |
xav0 |
Remediation Guide: |
OWASP XSS Prevention Cheat Sheet |
Export Vulnerability Data: |
Bugzilla Vulnerability Data |
JIRA Vulnerability Data [ Configuration ] |
|
Mantis Vulnerability Data |
|
Splunk Vulnerability Data |
|
XML Vulnerability Data [ XSD ] |
|
Vulnerable URL:
![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAH+klEQVR4nO3aX0hTfRgH8KOtmnpmWnP+aeKfQCOkJGRpGIUXJiKySg3CSmhYFxYhItVNS0rD/kuIN4F2UdCFjF2EiHQxxAu1tWwsGxI65h9kTWcnWzL3ey8OHMZ2ztkyz3pf3+/n6jxn5zy/5zyDPe7nYgghFAAAgARi/3YBAACwZWHGAACAVDBjAABAKpgxAAAgFcwYAACQCmYMAABI5V8xY3Jycj5+/CgUwqZDhwEgOv7+jPn06ZPf7z906BBvCJsOHQaAqAkzY2ZmZhQKBe9LHo+no6NDKIyc0Wisrq4WCv9vZmZmkpOTJV1CqMPc0iJvOgDAb9n495jl5eX29nahMHKYMVEWtsNZWVkulytq9QDAFvaX98rm5+ftdvuJEyd4Q9h0EXZ4586dUSkHALa4iGbMs2fPcnJy9uzZc/78eY/HQ1GUx+PJzs5mGCYmJqavry8wfPz4sUKhePDgQWpqanJy8sWLF3/+/CmU2Wg0lpeXb9++PTScnZ09efJkQkLCvn37njx5wu0gjY2NHTt2TKFQ7N2798yZM58/f2b3dnhXHBsbKykpiYuLS0lJqa2tnZ2dZc+vr6/fvHkzNTU1ISGhtrb227dvFEX9+vXr0qVLCoUiKyvr9u3b6+vroQXzVhW0uSS03yWUn82pUCjy8/NfvXrFJYkkp0iXeB88qOFhlw7ttlD3KIr68ePH5cuXU1JSMjMz79y5s76+fvbs2Xv37nHVlpSU9PX1CbWCXbejoyMlJSU9Pf3FixehzwsA/y3hZwzDMBaLZWRkZHR0dG5u7saNGxRF7dq1a3JykqZpr9dbX18fGJ46dYphmNHR0fHx8fHxcbPZ3NnZKZRcZKOsqakpMTFxcnJycHCwt7eXu6aqqqqhocHhcAwPD5eWlsrlcrZI3hXNZnNjY+PCwoLValWr1U1NTez5zs7OoaGhoaEhu92ekZFhs9koimpra1tdXZ2YmBgYGDCZTD09PaEFC1UVCaH8bE6bzfb27Vvugz5CQvUIPXhQw8Muzdtt3u5RFHXt2rW5uTmz2TwwMGA0Gru7u+vq6gwGA/vq/Py8xWLRarUirWAYZnJy0mq19vb2lpaW/lYrAODfiIianp6mKGplZYUNR0ZGcnNzuZdomg68kg3ZWxwOB3u+v7+/qKiIPXY4HNnZ2dwtDMPQNO12u0NDn88nl8sDkyQlJRFC3G63TCbzer2hRfKuGGhqaiotLY09VqlUZrM56AKlUskwDHtssVg0Gk3QBUJVhbaCPR9J/j/JKXSv0IMHNTzs0rzdJgLd8/l8NE1//fqVDY1GY3Fx8erqamJiIrtEd3d3dXW1SCvY95ErDwC2AFnYIUTTNLdzkpGR4Xa7w94il8szMzPZ4/379zscDu72kZER7rLBwUGNRsNt7wSGi4uLFEUFJmEPkpOTa2pqiouLy8rKMjIyioqKjh8/LrLihw8fWltbbTbb2tqa3+/3+/0URXk8HrfbffDgwcCal5aWXC5XdnY2G/r9fpksuDlCVUVCKP+f5BS5l/fBgxoedmnebvN2j822traWk5PDZZueno6Li6usrDQYDFevXu3v729oaBBpBUVRNE1L/bM6AIim8DNmE23bti09PZ0LN/aLstevX79//95qtc7NzTU3Nx89erSlpUXoYq1Wq9Ppenp65HK50+msqKgILCbwSq/XGxsbOz4+zn3excZu5g8ipM4fhPfBN/CbvdBu3717lwrpnoi6urrnz5/X19ePjo729/dTUW8FAPxN4l9zRHZsItwrMxgMvDtXPp9PqVRyWyuhYeA2jsFg4N0FslgsarVaaMXFxUWZTBZ4MZdEpVJZLJagbDRNh24BBdXMW9XKykpsbCy3ozg8PMxbLW/+P8kpdC/vgwd1WOT2oHc2MI9arSYC3ePdKyOEeL3e3bt3P3369PTp0+KtEFoXAP67Nj5jGIaRyWR2uz0oZD/xa2pqnE6n1WotLCzU6/VcBm5z32QyFRQUcOeDQkKIVqsNTMKua7PZKioq3r1753K5HA6HTqerqqoSWVGlUnV3dy8vL9vtdq1WyxXf3t6u0WgmJiacTmdTU5PJZCKEXLlypbi4mP2bvbOzs62tLahmoaoIIRqNRqfTLSws2O320tJS7nzgvUL5/ySn0L2hDx7aYaHbuTedt9tC3SOE6HS66upqh8NhtVoPHz7c1dXFnj937lxiYuKbN2/EW4EZA7D1bHzGEEL0en18fHxvb29g+OjRI5qm79+/r1KpkpKSLly4sLq6GpqtpaXl1q1bXKqgkBDidDrLy8vj4+Nzc3MfPnzIrru2tqbX6/Py8nbs2KFSqerr6xcWFti0vCuaTKaioiK5XJ6Wltbc3MwV7/P5WltblUqlXC7XarUul4sQ4vV6r1+/rlar4+PjKysr2T/JgzrAWxUhZGpqqqysjKbpAwcOdHV18X4h4M3P5aRpOi8v73dzCtUT+uChHRZamluCt9tC3SOEMAzT2NioVCrVarVer/f5fOx5g8FA0zT3pkTYagDYAmIIIZu7+TYzM1NQUPD9+3fxy/Lz81++fHnkyBHeMDRnYWHh0tLSn6y46cSrij7xesQ7DAAghaj+zz/Qly9fRELYdOgwAEQffs8DAABSwYwBAACpbP7/YwAAAFj4HgMAAFLBjAEAAKlgxgAAgFQwYwAAQCqYMQAAIBXMGAAAkApmDAAASAUzBgAApIIZAwAAUsGMAQAAqfwDkn+KBeHIsoUAAAAASUVORK5CYII=)
HTTP POST data:
![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAIqUlEQVR4nO3cYUgT/x8H8NNOXfNWc+g0FbQCH4SYD0yMVoSKSkgMS0kYOUjCwmIMiUoo2YMpNgiiogcGBkFPREQiSkbE4YNKG+catobGHGor5ph22Gmz+z24//8Yd7fbpV5z6/N61M7vvvd53/faZ/s6TKFpGgEAAABkkBrvAgAAACQt6DEAAADkAj0GAACAXKDHAAAAkAv0GAAAAHKBHgMAAEAu/0SP2b9//9TUVLyrALFNTU1dunRJZMCvX79aW1u/ffsmcUJYegDiK/l7zMePH3///n348OF4FwJiMxqNxcXFIgPS0tLS09O7urqkzAZLD0DcJUCPmZubU6lUm3766Ojo6dOn/0INy8vLvb29EueZm5vLysraYlV/ROJllJJi05OLn25pacnpdJpMJvana2trra2tnJlNJpPdbpcy+Y5aegD+TQnQY7ZoW15oioqKAoGA+JhQKGS1Wrd4IvlIiYD89RSRpyNJUqlUZmRkMA/X1tYaGhrC4TDnKRqNhiRJKZPD0gMQdwnQY1AULSkp2dxzv3796vF4Tp48ufUy2Ne+rWCzbCXUpm1LhL/G7/fX1tbabLbNPX2nLT0A/6bYPWZhYaG+vj4zM/PgwYN3795ldng4GwiROz9ra2sXLlxQqVRFRUW3b9/e2Nhgx/f29ubk5Ozbt+/x48cPHjyor69nZ+ju7m5raxMsoKCg4MOHD8y/X716FbPgyDGjo6N1dXVpaWkIgkxMTBw/flylUhUUFJw5c+bTp08IgmxsbNy4cSM3NzczM7O5uXlpaUmw2sg9LpVKdefOndzc3KysrLa2tp8/fyIIsry8XFxcTJJkSkrKkydPopXKZikoKHj37p3EUOwAwQiCKUQiSE8RrbCJiYmjR4/u3r07Jyenubl5YWGBP4Z/G/BL4l+0SEVFRd3d3eJXJtqFQnbe0gPwb4rdYzo7O/fs2eN2u8fGxgYHB2OOt1gsq6urTqfz5cuXOI4/evSIOU6SpNvtdrlcg4ODOp1Or9fjOP7jxw/mp6Ojo01NTTk8nMmNRmNNTQ3bcjgmJiZqamqMRiN7JHK3pLGx0Wg0+ny+8fFxnU6nUCgQBOnv77fb7Xa73ePx5OfnT09PC1YbeRaSJN+/fz85OTk5OelwOPr7+xEE2bt3r9vtxjCMoiiDwRCzVImhOIkEI0RLIRJBYopohTkcjosXL/r9fpfLVVhY2NnZya9c8DbglMS/aJuWoEsPQPKjRYXDYYVC4fP5mIfDw8NqtZqmaa/Xi2EYO8zr9TLHaZrOzs4mSZL5N0EQlZWVzAAEQYLBYOTkVVVVQ0ND7GwURc3zcOohSdJqtWo0mpaWFo/Hwx73eDwtLS0ajcZqtbJnJ0kSwzDmpMFgEEVRiqI4E2q1WofDwTnIr5bNy/wo8oJUVFRwxoiXyic4kp8oWgTBFCIRpKeQEmFmZiYvL4+TnRa6DQTvAU5VnEkED3KOJPTSA5D0YvSYxcVFhULBPpyenhbvMcFgEEGQ7P/TaDRarZY/ntHX12c0Gmmavn//fktLi/Sig8GgXq9HUZQ9gqKoXq8PhUKRw4aHh6urq9mH586dKy8vN5vNNpvtzZs3NE2HQiEURcPhMGd+kdc1r9fLuSBMwGgZ+aVKDCWYiB8hWgrxl+Y/SsGP4HA4amtr8/PzmSVWq9WcZwneBjFbyOZ6TBIsPQBJbJt/509RVGpq6uTkJEEQBEE4nU6CIKINbmpqevHiBYIgz58/b2pqQhAk5l4ZgiCzs7OdnZ04jlssFvagxWLBcfzy5cuzs7PsQc7Xip49ezYwMFBWVra+vm42m69cucIc37Vr15ZzCxMsVeJIwUTRIiCypRCMoNfrT5w4geM4QRDMCnL80W2wRYm+9AAkOfEWxNkrGxkZYT6vrKyspKamrqysMMfHx8fZvTIMwwS3IPhv9GiaLi0ttdvtarWamSrmXllHRweGYWazORAIcH4UCARMJhOGYR0dHUzl2dnZX758EcxFEERhYSFN01qtliCImNVG2zAZGRmJtmEiUqrEUJxE0SIIpoj5OUZKCsHCvn//HvnenCAI/ucYWug2kOlzDJ3ISw9A0ovRY2ia1uv1Z8+enZ+fd7lc5eXlbC+prKxsb2/3+/0ej0en07HHOzo6qqqqXC7X4uJif3+/xWKho/eYW7dulZWVNTY2SizXYDB4vV6RAV6v12Aw0DSN43hpaSl7fHp6uqGh4fXr14FAwOfztbe3Mye1Wq2VlZVOp3N+fp554ylYLeeFJvKC9PT0MGNIkkRRlN1/j1mqxFBsomgRBFNI6TExU0QrTKvVPnz4MBQKeTwevV7PvEVAUdTtdrO7T/zbQPAeiDydz+eL3Izil82YmZlhbzbBC5VASw9A0ovdY+bn5+vq6pRK5YEDB2w2G/vfe2Zmprq6GsOwQ4cO3bt3jz1OUZTJZCosLFQqladOnWLeTkbrMcwWyuDg4PYl+p+urq6bN2+yD9fX13t6ekpKStLT07VarcFg8Pv9NE2Hw+Fr165lZ2crFAq9Xs+88RR/ocEwrK+vT6vVqtXq8+fPr66ussN6enqUSqUccUQiCKaI2WO2kgLH8YqKCoVCkZeXZzabmaW/fv165LP4t0G0e4A9HUVRCoWC80ty/rOGhobKyspELlTyLT0AiSt2j4kU+f2xbUGSpEKh4HzXaFuUlJS8fft226eN9kKZWHZsiqtXr0b+rp6Poqji4uKBgQGRMbD0AOwcaFx+CcQaGxvT6XRy/OWuz58/b/ucQG42m0382wEZGRlPnz49duyYyBhYegB2jnj+LZnl5WXmW8txrAHsKGlpaUeOHBEfI95gAAA7Sjx7DLuvHccaAAAAyCeFpul41wAAACA5JcDfXQYAAJCgoMcAAACQC/QYAAAAcoEeAwAAQC7QYwAAAMgFegwAAAC5QI8BAAAgF+gxAAAA5AI9BgAAgFygxwAAAJDLf+EtP/Q5EN+XAAAAAElFTkSuQmCC)
Mirror: Click here to view the mirror
Coordinated Disclosure Timeline
Vulnerability Reported: |
10 June, 2020 11:44 GMT |
Vulnerability Verified: |
10 June, 2020 11:58 GMT |
Website Operator Notified: |
10 June, 2020 11:58 GMT |
a. Using the ISO 29147 guidelines |
![](/images/done.png) |
— |
— |
b. Using publicly available security contacts |
![](/images/done.png) |
c. Using Open Bug Bounty notification framework |
![](/images/done.png) |
d. Using security contacts provided by the researcher |
![](/images/done.png) |
Public Report Published |
|
[without any technical details]: |
10 June, 2020 11:58 GMT |
Vulnerability Fixed: |
2 July, 2020 14:47 GMT |
— |
— |