Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:
      a. verified the vulnerability and confirmed its existence;
      b. notified the website operator about its existence.
Affected Website: |
homesteady.com |
Open Bug Bounty Program: |
Create your bounty program now. It’s open and free. |
Vulnerable Application: |
Custom Code |
Vulnerability Type: |
XSS (Cross Site Scripting) / CWE-79 |
CVSSv3 Score: |
6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] |
Disclosure Standard: |
Coordinated Disclosure based on ISO 29147 guidelines |
Discovered and Reported by: |
xav0 |
Remediation Guide: |
OWASP XSS Prevention Cheat Sheet |
Export Vulnerability Data: |
Bugzilla Vulnerability Data |
JIRA Vulnerability Data [ Configuration ] |
|
Mantis Vulnerability Data |
|
Splunk Vulnerability Data |
|
XML Vulnerability Data [ XSD ] |
|
Vulnerable URL:
![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAQlElEQVR4nO2df0xT1/vHr1i0QhGE9oqAIoygMYQ1jrFuYwtBg65rSGXojGFap1Ekykg33UDjGHNIFFi2OWMMEjeXzT+cIcYsm2Fsq45NRVa1YtdVArVAM4EVV7WW4v3+cT/fk5t7z729UC5W9rz+6jn3/HjezznnPvdHezqNoigCAAAAACQg7HEbAAAAAExZIMYAAAAAUgExBgAAAJAKiDEAAACAVECMAQAAAKQCYgwAAAAgFSERY1JSUq5evcqXBCYQ8O3UAMYReFJ4/DHm+vXrjx49evrpp7FJYAIB304NYByBJ4gAMaanpycqKgp7aHh4eP/+/XxJ8Zw5c6agoICVFOh3Mhm3KBY9PT1z5swJvp0gYbl6EhAYx3/++Wfjxo0qlSoxMfHdd98dGRl5jMZIWnfCW5uQcRRjQ8D5jxp5LDNcpBsnahUD42P89zFut7umpoYvKR5sjBm3VRPLuEWFJiHlW4PB4PP5zGZza2trW1vb3r17H7dFTwwTMo7JyckDAwPCZUJ8/ouRQIS8iinPY35W1t/fb7PZcnNzsUlgAgkp3z548KCjo+Po0aOJiYmLFi1qaGg4derU4zZq8pDJZOnp6eOrO4HjOHPmzCBbQEKCURQMwUsApEZUjPnkk09SUlLi4uLeeOON4eFhgiCGh4cXLlzo8XimTZv2xRdfMJMNDQ1RUVEHDx6cO3funDlzNmzY8ODBA76Wz5w5k5+fHx4ejk1y+yUI4t69e1u3blWpVPPnz//ggw9GR0eJ/79rrq+vT0lJiYyMfP311wcHB3fu3KlSqeLi4jZu3Hjv3j26+sOHDzdt2hQVFZWcnPz+++/T1QmCuHz58ksvvRQVFZWYmPjaa6/dvHmTpZGv7uXLl59//vlZs2apVKrVq1f39vbSDfb29q5YsSIqKmrRokVff/01nfn555+vWLECyd+9e/eGDRtYPhkdHa2oqJg7d25kZOTq1asHBweDV83yLVessGe4Aumu9+/fr1Kp5s2bd+zYMT7LseM4a9as27dvR0ZG0gXsdntCQgL9ub+//9VXX42KikpJSamvr0dPYLAewGYKNMKET29Abty4ERcXd/78eYIgVq1adfDgQTr/6tWrM2fORBN169atO3fuxLaQmJh45coV+vMPP/wQsEdmmYDjiB0F7ngxH3NhFyx3/nNNRUISExMvXryINVhYEVYCVoWABPEqsIbx1cVO8mBWIl9HUxxKkO7uboIgDAZDX1+f3W7Py8srKSmhD1mtVoVC4fV6/X4/M9nV1UUQRFFRkcPhsNvtGRkZVVVVfO1rtdqvvvqKmxTo980339TpdA6Hw2KxLF269NNPP0Xli4uLnU6nzWbLyclRKpV0dfqir6ysjK5eWVm5du3arq6uzs7O3NzcQ4cO0fkkSTY2Ng4NDXV1dTU0NHR1dXE1YuseOXKkqanJ7Xa7XK7y8nK9Xk83qNfrmU6IiYmhKMrpdMrl8rt379JlMjIympubWT6pqanJysq6du2a0+ksKyszmUzBq2a5GiuWzzNYgXTX69evd7lc33//vdVqxVouMI4Iq9WakJBw6dIlOllYWKjX610ul91uz8zMpP3G5wFsJl8j3d3dCoUC9cunFwuq63a709PTjx49Suc3Njbm5+fTn/ft2yeTyU6ePEknU1NTW1tblRxYLcfHx+fl5bW3t2P7vXTpUl5eXnx8vPhxxM4f7nghRfQh7IJlzX9hU0WKYinCSsCqEJAgXgXWML662EkezEoUMHIKIyrGoHNiW1tbamoqOsRcsawp63A46PzTp09nZWXRnx0Ox8KFC1EVj8ejUCiGhoa4Sb5+/X6/QqFAE/HMmTMajQaVd7vddP6FCxfCwsLu37+PqqelpdGflUqlx+OhP5vN5uzsbIqihoaGZDKZ1+vlymdqxNZlYrfb6cXj9/vlcjnTCehcqdFoTp06hRrndkqSZEdHBzMneNVM3/KJDaiOKZDuGo0dn+UC84fG6XSmpqai8zLtN6QU+Q3rAT638DUy1tFkCaHrarXa0tJSlN/X1xcREUE7Mzs722g0rlu3ji4/e/Zsn8/n5MBq2ePx1NTUxMbGrlmzxmazoXybzbZmzZrY2Niamhpkp5hx5I4ChRsvMQuW5TE+U7lgS3IV8UnAqhCQIF4F1jC+utweg1yJAkZOYQLHGFYgQedKgRgjl8tRfmdnJ0mS9Ge/39/X14cOnT59Oi8vD5vk67evr2/GjBko32azoVMen53M5NDQEEEQ6IoyNjYW2bZ27Vq1Wm00Guvq6n7++WeuGXx1Ozo6li9fnpCQQGciO1lOQPbU1tYaDAaKog4dOrRmzRqWw91ut0wmoy8bEUGq5rqaK1bAM1iBrK75LBe2kKIojUaDbj64SpHfsB7gcwtfI2JGkw+6bmVlZVhYWFNTE/OQWq1ubW11uVxJSUlut5skSb/f39jYWFhYKNAgi6GhIb1eL5PJUI5MJtPr9ei0RRNwHLGjQOHGS8yC5dbCmipSFFYRdt2JmUsUJ8aIV8EyjK8ut2KQK1HAyCmMbAIet4lm+vTp8+bNQ8nJ/0aZ1+sNCwtrb2+Xyf4nPCzsf2+kvvnmmytXrlgslr6+PqPR+MILL3z22Wdi6ur1+s2bNx85ckQulzudzpUrVwrbUFhYmJOTQxDE2bNnDQYDtsz06dPHLxIHy7dcsfTZE+uZMQkck+X9/f3Xrl377bffxi4oWARmAh/3798/ffr0yZMnt2/fXlhYGB0dTedrtdqWlpauri6dThcdHa1Wq00mU0tLi1arJQhCpVKx2rlz5w4r59atW3v37jWZTNXV1Sizurq6rq6utLS0urr6qaeeojMDjuO+ffsICeaPsKkiS2IVCaw7iVSIlwBMDMIhaHz3MQTjfrC5uRl7P+j3+5VKJbrrZCX5+hW4VxV5Ra9QKLhPEliYzeakpCRus9y6f//9N/OCzmw2IzuZz8qam5uZ9mRkZLS0tMTExKCHSExIkjSbzcycIFWzfMsnFusZPoHYK1yu5cIW+v1+llW037q7u+lkMM/KuI0EHE0Buru7ZTJZZ2cnRVE6nW779u3oUFtbW3Z2dkFBwXfffUdR1OHDh8vKyujbLIqiAj4rKykpUSgURqNxYGCAdWhgYKC8vFyhUNAvsUSOI3cUuNopcQuWVUvAVJGiWIr4JGBVBLyPEaMCaxhfXW6PQa5EkefGKcb4Y4zH45HJZOiZJkqi91pOp9NisajVauZ7LfTs1WQyZWRkoHxWUqDfzZs3FxQUcN+5iYwxJSUlGo2Gvm46cOBAdXU1RVGdnZ0rV65sbW0dGBhwOBybN2/W6XRcjdi6JEkePnzY7XbbbDa9Xo86ot/5Iycw7dm7d29mZibdBcstFEXV1NRkZ2fTbzu3b99Ov7MNRjXLt3xiser4BGJjDNfygM/KuM/ii4qK9Hp9d3e3xWJhvvPHegCbydfI3bt3ZTKZ1WqlH8Lw6cXCFGK1WuVy+bVr19BRkiRJkqS1OJ3O2bNnq9VqgdaYFBcXo3DI13VxcTElehyx8ydgjMEuWNb8D2iqSFFIEZ8ErAoxMSagCqxhfHWxkzyYlSh8bpyqjD/GUBRVVVUVERFx/PhxZrK+vl6hUNTW1pIkGRMTs379evTui9naO++8U1lZiZpiJYVj25YtW5RKZVJSUlVVFX2+EB9jvF5veXl5UlJSRESEVqulL0l8Pl9VVVV6evqMGTNIkiwuLna5XFyN2LomkykrK0sul8fHxxuNRtSR0+nMz89XKBTp6el1dXVMe8xmM0EQyG8s4/1+/65du5RKpVwu1+v19AVXMKpZvuUTi1XHJxC7/LiWix8XhMvl0ul0CoVi4cKFtbW1wuOOzRRo5L333hMeTT5YQsrKyl5++WWUXLduXVFREUpmZWUxHT5RiBxH7PwRjjF8C5birPGJRWDdBZxLFCfGjFsFX13sJA9mJQobOVUJEGPGAXZguKSnp//+++98yamNx+ORy+WsL2VJx5PrW6vVGvxL0QlpJBSQaBxFLtgQJxgVk+aBqeHqsTKp7/yZ/PnnnwLJqc25c+dycnImbX+nJ9e3ZrM5NTU1FBoJBZ7ccQT+y4xtL5mrV69u27ZNoMDIyMiOHTsePXokssH/4Bblw8PD9LeWH7chIcqHH3547NixO3fuXLx4sbKysqSkZDIbUfHw77//jsMMAADGdh9jMBjWrl0rUCA8PDw8PNzn84lp7b+5RTlJkjqdbv369Y/bkBAlNze3vLy8tLR0wYIFZWVl3L12JG2EflXGJRR2AQeAJ5FpFEUJlxgeHj58+HBFRcXg4CBJkvfv30f70D18+NBgMJw9e5Z5lffHH39otdr+/v6AfX/00Ucul4v1M5Sx0tPTk5GRIXyZiSQE0xEAAAAwVgI/K0M7Y3s8noiICGaAWblypd/vZ5WPjY31eDxi+oYtygEAAKY249/b3+VyLV++vK6ubnzVQ2qLcgAAAEAKAsQY5s7Y3377LfNQcnLy7t27x9RZyG5RDgAAAEhBgBgTHR2NdsZetWrVuLu5fPnysmXLmNtzMR+U6XQ6g8HgcDguXLiQk5Mjl8sJgjhw4EBLS0tLS4vNZktISOjs7KQLezweq9VqsViOHz9Ob/yF8Hg8ly5dam9vb29v7+joOHDgAEtCcXExQRAGg2HZsmXoDzwAAAAAqQj4CxrW74H5jvLlPNFblAMAAADBIPl/LS9ZssTn83V1dVVUVKD/PTx37lx2djb9I8Q5c+YUFRVpNJq33367vr7+l19+IQhieHh4aGgoMzOT26BCoeD79aJcLp8/fz79efHixQ6HA1ssMjKyoqLCbrf7fL4lS5YErxEAAADAInmMqa6uNplMpaWlt27dQpncLcobGxszMzN9Pp/RaNyxYwedL+kW5fRGe7C/NwAAgHRIHmMqKipsNhtJkmq1mt4jYHR09OzZs6xvLT/zzDMbNmyoqKhoampqbm6Ojo6OjY0d6xYAXq/39u3b9GebzbZgwQJssW3btqnV6vj4eJvNBj+aAQAAkI7AMUapVHq93r/++issLIz7axgufr8f/e8TTVxc3Mcff2yxWOjfzbS1tcXHx6ekpNBHb968+corr/z000+Dg4O3b98+dOiQWq0mCKK8vHzLli3Xr1/v7e3dsWPH+fPnxegxGo29vb03btyoqqrS6XQsCXTS4/FYLJb6+vq4uDgxbQIAAADjI3CMiYyM3LNnj1qtPnfuHEEQ6EzNh9lsxt5AJCcnnzhxguA8KEtLS9NoNCUlJQkJCVlZWV6vt7GxkSCIXbt25ebm5uXlpaWlOZ1OMS9OFApFVlbW0qVLc3JyMjMzd+3axZJAf3f5xIkTycnJAVsDAAAAgiTwXjJM3nrrLYvF8uOPP/IVePjw4eLFi/fs2bNp0ya+MosWLfryyy+fe+65sVkaCDGbygAAAACTydhizMjIiNlsfvbZZwXK/Prrry+++GLQho0ZiDEAAAChxthiTCgDMQYAACDUkPx7ZQAAAMB/lqlzHwMAAACEGnAfAwAAAEgFxBgAAABAKiDGAAAAAFIBMQYAAACQCogxAAAAgFRAjAEAAACkAmIMAAAAIBUQYwAAAACpgBgDAAAASAXEGAAAAEAqIMYAAAAAUgExBgAAAJAKiDEAAACAVECMAQAAAKQCYgwAAAAgFf8HZzQB70zhwQ0AAAAASUVORK5CYII=)
Screenshot: ![homesteady.com vulnerability](/twimages/screen-1192410.jpg)
Mirror: Click here to view the mirror
Coordinated Disclosure Timeline
Vulnerability Reported: |
11 June, 2020 13:09 GMT |
Vulnerability Verified: |
11 June, 2020 13:18 GMT |
Website Operator Notified: |
11 June, 2020 13:18 GMT |
a. Using the ISO 29147 guidelines |
![](/images/done.png) |
— |
— |
b. Using publicly available security contacts |
![](/images/done.png) |
c. Using Open Bug Bounty notification framework |
![](/images/done.png) |
d. Using security contacts provided by the researcher |
![](/images/done.png) |
Public Report Published |
|
[without any technical details]: |
11 June, 2020 13:18 GMT |