hotelsegas.com Cross Site Scripting vulnerability OBB-1192913

2020-06-11T15:28:00

Description

Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[hotelsegas.com](<http://hotelsegas.com>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[XSS (Cross Site Scripting)](<https://www.owasp.org/index.php/Cross-site_Scripting_\(XSS\)>)** / CWE-79 CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **xav0 ** Remediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAKNElEQVR4nO3dX0hT7R8A8JMunXqmM3XanK9OQrwQixDR0IouSmzImv8iLI3EIpaJlJiCmZHZwuiPiRddVBcVEUOGFyLShYqImS1btkRkDlORac6mLdGd9+LwPpzOzjnafjvN+ft+rvY8Puf7fL/POed98tF6dxAEgQEAAAA88PF0AgAAALYt2GMAAADwBfYYAAAAfIE9BgAAAF9gjwEAAMAX2GMAAADwZUvsMXK5/OPHj2xN4AKPr6HHEwAAbAWe32M+ffrkcDj27t3L2AQu8PgaejwBAMAWscEeMzk5KRKJGL9ktVpv377N1tw8nU6Xk5NDa3LMy2bDBFyI6aVoS7qlEnDXXfj7dxPNuJmp2cZQ+9k+u/wqAbAFuf59zOLiYmNjI1tz8xj3mP89n/9nW3mP8V6xsbEWi4WnINR+eJLBduLhs7KZmZmxsbHDhw8zNoELPL6GHk+AP/7+/vwFcUtwALaaTe0xDx48kMvlYWFhp0+ftlqtGIZZrda4uDibzbZjx45nz55Rm/fu3ROJRHfv3o2MjAwNDS0uLv758ydbZJ1Od/To0Z07dzI2nefFMGx5efn8+fMRERExMTE3btxYX193zgfDsF+/fp07d04kEsXGxl6/fp0cRvXu3bvMzEyRSBQdHZ2bm/vlyxeyn+3CmZmZ48ePi0QiuVze3NwcGhqK4qSnpwcEBEREROTn53/79o0jOLK+vn7t2rXIyMigoKD8/Pz5+Xm26shTlObmZrlcHhQUVFhYOD8/f/Xq1YiIiLCwsLNnzy4vL7MtKWMafBdITYCtTMY7y5YbWxDk8+fPYWFhvb29DE/Y73ecVkhhYeGtW7fQgPT0dPLhYSyZ7fiLcTDpzp07tLdgwzM02pP8+PHjY8eOoWG1tbXFxcXcZQKwpWy8x9hsNr1e39/fPzg4OD09XV1djWFYSEiI0WjEcdxutxcVFVGbJ06csNlsg4ODQ0NDQ0NDw8PDGo2GLTjHQRnjvBiGlZeXT09PDw8Pd3Z26nS61tZW53wwDGtoaFhZWRkZGens7Ozp6Wlra6NNrVAoSkpKzGZzX19fRkaGUCgk+9kuVKvVfn5+4+Pj3d3dz58/R3GGh4fLyspmZ2cNBoNMJlOr1RzBEY1G093d3d3dPTY2JpVKR0dHOaojl6Kvr0+v109PTycmJloslpGRkYGBAZPJVFNTw7akjGnwXSA1AcYy2e4sW25sa0WyWq0qlaqpqSkzMxPj5FxIQUFBe3s7+dWZmRm9Xq9UKtlK3nxYst9msw39h/stoKI9yUqlsqen58ePH2htVSrVZuIAsFUQnEwmE4ZhS0tLZLO/vz8+Ph59Ccdx6kiySV5iNpvJfq1Wm5KSQn42m81xcXHoEpvNhuP4wsKCc5Nt3rW1NRzHJyYmyH6dTpeWlsaYT3h4uM1mIz/r9frU1FTqgIWFBYFAYLfbnUt2vpCcVygUonm1Wq1YLHa+dnx8PCoqiiM4IpFIhoeHaZ2M1ZFLsbi4SHb29fX5+PisrKygldmzZw+KQF1DtjR4LZB2T53L5Hii2HJjXCt0N7Ozsy9evOicCTeykJWVleDgYPJZbW1tzcnJYRtJ/P6EU580tsGMbwH12s18JggiLS3tzZs3qJ/7uQJgqxFsuAnhOI6+u5dKpQsLCxteIhQKY2JiyM+JiYlmsxld3t/fj4Z1dXWlpqaiMxlak3Heubm51dVVuVyOgpMvM833798tFktcXBzZdDgcAsFvlYaGhubl5aWlpR05ckQqlaakpBw6dIjjwrm5OYfDQZ0Xhfrw4UNVVdXo6Ojq6qrD4XA4HGzBEavVurCwkJycTEubrTocx0NCQshOmUwWHBwcEBCAVob6M2TqGjKmwXeB1ATYymR7ohhzYwtCqq2t7ezsfPLkCeNXaZwLCQgIyM7Obm9vv3TpklarLSkpYRv5R2HJfra34E8plcqOjo7c3NyOjo7s7Gz4sQ3wLhvvMW7k6+u7e/du1HTXb5Q5s9vtPj4+Q0NDaGvx8fFZXV2ljnn58uX79+8NBsP09HRlZeWBAwcePXrEeCH3XEqlsrS0tK2tTSgUTk1NZWVlsQWnXejr6+uWYqloa+icRk1NDa8FOt/EzZfJsfiMQVZWVrRa7atXr9RqtUqlQtvwHxVSUFDQ0tJSVFQ0ODio1Wo5Rv5RWDdSqVQZGRkYhnV0dKBdEACvwf1tjvOBGDpC2eRZWXt7Ozoro1pbWwsPD0eHM7Qm27ybPyvDcdz5lIbtiEOv18tkMrYLif+OkkwmE9lER0lzc3MCgYAax/mIiRockUgker3eeRbGszK2W0Br0taQLQ3+CnROwLlM7nIYc2NcK5PJJBAIRkdHCYJQKBRqtZqxaoStELvdvmvXrvv376tUKu6RjGdlHIMZ3wIXzsoIgkhKSuru7haLxeiMEQBv4foeY7PZBALB2NgYrUm+XXl5eVNTUwaDYd++ffX19SgCOk3u6elJSkpC/bQmx7ylpaU5OTlms9lgMOzfv//hw4eM+Vy4cCEtLY38g7ZGo2loaFhaWhIIBEajcW1tbXR0NCsr6+3btxaLxWw2l5aWKhQKtgvJ/ry8PKVSaTKZDAZDcnIyykcikbS2ti4uLo6NjSmVSrFYzBEcld/Y2JiamjoyMjI1NaVWq3t6etiq2/weQ1tDtjT4K5CWAGOZ3OUw5sa4VtQ4RqNRKBSOjIwQnJwLIftPnToVHBz8+vVr7pFoRuqDxDGY8S2gpk2NQ+2nPckEQdTV1SUnJ6OnCAAv4voeQxBEfX19YGDg06dPqc3m5mYcx5uamiQSiVgsPnPmDPoBNTXalStXampqUChak3tvKysrCw8Pl8lk9fX15HvunI/dbq+oqJDJZIGBgdnZ2eQfrqurq8kBq6ur9fX1CQkJfn5+EomkqKhodnaWDMJ4IUEQs7OzCoUCx/G4uLimpibqf9lTUlKEQmFUVFRlZaVYLGYLTi1qbW2tqqoqPDxcKBQqlUqLxcJW3eb3GNoasqXBX4G0BBjL5C6HMTfGtaLFKS8vP3jwIMHJuRCyv729Hcdx9JSyjaTOiB4k7sEajYb2FtDSRnFo/bQ3S6/XYxiGmgB4kQ32GBdwHElRJSQkDAwMsDW3OKPRKJFIPJ0FnRvX0LUCvesmehGbzSYUCtFv6wHgRf7qz/ypvn79ytHc4vR6fXx8vKezoHPjGrpWoHfdRC/S1dWVkZGBfuUSAC/isT3G69y8eVMqlebk5ExMTNTU1NTV1Xk6IzfbHgVGREQw9k9MTHjpv4hqtVpbWlpOnjzp6UQAcMUOgiDcG3FycjIpKQn9zeRto7e3t6KiwmAw/PPPP2q1+vLly57OyM22R4HUf8qFKjo6+i9n4i7+/v4KheLFixfwN2OAN3L/HgMAAACQPP//KAMAALBdwR4DAACAL7DHAAAA4AvsMQAAAPgCewwAAAC+wB4DAACAL7DHAAAA4AvsMQAAAPgCewwAAAC+wB4DAACAL/8CDMGNf426jIcAAAAASUVORK5CYII=) --- HTTP POST data: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAImklEQVR4nO3cb0gT/x8A8HOdOvRGun9WGmqE9CBMokRIIzJCRET6Y0mrFkmZmAyxMHvQ2oMpZg/qQfTAwiCoByGxRwYSscYwNTmvtdZImUOWwRwuTtts634Pju9x7W63czrd+r1fj3YfP5/Pvd/nx3tvnxumURSFAAAAAAkg2ewAAAAA/LOgxgAAAEgUqDEAAAASBWoMAACARIEaAwAAIFGgxgAAAEgUqDGiFBcXT01NbXYUICGmpqauXbsm0OH3799NTU0/fvwQOSGsFgAYUGNi+/Tp058/f/bt27fZgYCE0Gq1RUVFAh3S09MzMjI6OzvFzAarBQC2eGrM7OysTCZb44lXO0ncJ117tCaTqb6+fi0ziAzD7/f39PSImWR2djY3N3eNIa3WuqSQDNhBLiwsEASh0+mYnwaDwaampohMdTrdyMiImMmTZ7UAkAxS5nNMYWGh1+vdlFOvy11DTPyLi4tGo3GNJ0qcfyAFGjtIkiSzsrIyMzPpw2AwWFNTEwqFIobI5XKSJMVMDqsFALaUqTEIgjA3glVBUbSkpCTuk37//t3pdB45ciTuGRjxxc/G5LLGpOK29hSS3Pz8/LFjx/r7++MbnlSrBYBkELvGhMPhW7du5eXlZWdnnz59emFhgW5/8OBBcXGxQqE4f/683++nG4PB4OXLl2UyWWFh4Z07d8LhsPAktM+fPysUivfv3wuEwd49oF/fv3+/uLg4Nzf33LlzTABc+fn5Hz9+ZA7fvHkjnG9EB5PJdPz48fT0dARBxsfHq6qqZDJZfn7+yZMnv3z5Ei01OsKenh6VSrV9+/YnT56wt7lkMtm9e/fy8vJyc3MvXrz469cvBEH8fn9RURFJkmlpac+ePeMNlcklPz//w4cPIjNi99n0FASGc8+IIMjS0tLVq1dVKtXOnTvv3r0bDofZv/3s7OwzZ84sLCzcuHFDpVIpFIpLly4tLS2tKki2wsLC27dvx7yevNcWSbLVAkAyiF1j+vr6RkZGRkZGnE7njh077HY7giAkSeI4brVax8bGPB5PV1cX3dlgMCwvLxMEMTw8bDabHz9+LDAJze/3nzhxore3t6qqSnzcJEkSBEEH4Ha7u7u76XYVR8RArVZbXV3NrjqM8fHx6upqrVbLbmRvfdTV1Wm1WrfbbbFYKisrpVKpQGokSTocDpvNNjg4WFlZGRH82NjYxMTExMTE5ORkX18fgiBbt251OBwYhgUCAY1GIxyqyIy4SSVJCrzDec/Y3t7u8XgmJyeHh4dNJtOjR4+Q/5afxWLBcdzj8ezZs8fr9RIEMTo66nK5mMUgMsi4cRdM8q8WADYaFYtarZ6cnGS3uFwuBEF+/vxJH1qt1l27dtGvlUolSZL0axzHy8vLBSbBMIyiqNra2tbW1phhMP25AVgsFiaAOY6IeUiSNBqNcrm8sbHR6XTSjU6ns7GxUS6XG41GJn66M4ZhPp+Poiifz4eiaCAQiHl9mAjpgRHx0z9yu910+9DQ0IEDB7g5RguVK1o3blJJkkK04dwzhkIhDMNmZmboQ5PJVFFRQXdbXFykGy0Wi0QiWV5epg+tVuvu3bvFBxkRcLTGiBbeBZMSqwWADRajxiwuLqIoGgqF2I0Ri9vlcuXk5FAU5fP5EARR/kcul6vVauFJuru7JRLJ06dPYwYqcF9gAhDP5/M1NDSgKEofoija0NDA3LYYQ0NDR48eZQ7Pnj1bVlbW0dHR39//7t27aKlxI6T+vmtIpVKm3W6301eJdxQ3VJEZRUsqGVKINpw71uPxZGRkMIdOp3Pbtm3Cv33mUGSQ8dUY3mubQqsFgA0j6pn/li1bxHQLBAISiWRiYgLHcRzHCYLAcVxgkuXl5aGhoZcvX3Z1dQk8UFmVmHtlCIJMT0+3tbWZzWaDwUC3GAwGs9nc2to6PT3N7hnxHaEXL14MDAyUlpaurKx0dHRcv349WmrrhRuq+G68SSVtCqmF99qmymoBYEPFrEJqtRrHcXaLwBtJDMO4WwHRJkFR1G63UxRVV1fX1tYmHIbIzzEx98paWlowDOvo6PB6vex2r9er0+kwDGtpaaFbQqGQUqlkNmoi4DheUFDAmxo3Qurvd6YIa/fj9evX0XY/ooUqMiPepJIhhWjDuWeMtlcm8nOMmCDj+xxDca5tqqwWADZY7BpjNBrLy8sJgpibm6PfJQn8kbe0tFRUVNhsNo/H09fXZzAYxEzicDikUilBEAJhrNdemUajcblcAmfRaDT0a7PZvHfvXuZHdru9pqbm7du3Xq/X7XY3NzfX1dXxpsaNkOLcNU6dOjU3N2ez2crKyvR6Pd2HJEkURZnNdOFQRWbETipJUog2nPd239zcXF9f73a7bTbb/v37Hz58uKoaEzNIt9vN3oyKyJTx7ds33jXGXNtUWS0AbLDYNSYUCt28eVOpVEql0oaGBq/XK/BHHggEdDpdQUFBVlZWbW0t87Yu5iTt7e2HDx8WCGN9n8eI0dnZ2d3dzRyurKzo9fqSkpKMjAy1Wq3RaObn5ym+1LgRUn/fNTAM6+3tVavVOTk5Fy5cYJ5XUxSl1+uzsrIGBwfXPZ3kSSHacN4aQ5LklStXlEplQUGBXq8PhULia4yYIAOBgFQqjXhIzo3k1atXpaWlAtf231stAKyL2DXm/1ZJScno6Oi6T8t7J00ta0xhY66A+LO0t7ezn9VzBQKBoqKigYEBgT6wWgDghW7s059U8vXr180OAWyE/v5+9pdTuDIzM58/f37o0CGBPrBaAOCVdDWG95tgCILMzMys/R9xAsCVnp5+8OBB4T7CBQYAEE3S1Zho7yihwAAAQMpJoyhqs2MAAADwb0ql/7sMAAAgtUCNAQAAkChQYwAAACQK1BgAAACJAjUGAABAokCNAQAAkChQYwAAACQK1BgAAACJAjUGAABAokCNAQAAkCj/A36iPBdM6GSiAAAAAElFTkSuQmCC) --- **Screenshot:** ![hotelsegas.com vulnerability](/twimages/screen-1192913.jpg) **Mirror:** [Click here to view the mirror](<http://1192913.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 11 June, 2020 15:28 GMT ---|--- Vulnerability Verified:| 11 June, 2020 15:38 GMT Website Operator Notified:| 11 June, 2020 15:38 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 11 June, 2020 15:38 GMT Vulnerability Fixed:| 10 September, 2020 07:46 GMT ---|---

{"id": "OBB:1192913", "type": "openbugbounty", "bulletinFamily": "bugbounty", "title": "hotelsegas.com Cross Site Scripting vulnerability OBB-1192913 ", "description": " \n\n\nFollowing coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: \n\n&nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; \n&nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence.\n\nAffected Website:| **[hotelsegas.com](<http://hotelsegas.com>) ** \n---|--- \nOpen Bug Bounty Program:| **Create your bounty program now**. It's open and free. \nVulnerable Application:| Custom Code \nVulnerability Type:| **[XSS (Cross Site Scripting)](<https://www.owasp.org/index.php/Cross-site_Scripting_\\(XSS\\)>)** / CWE-79 \nCVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] \nDisclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines \nDiscovered and Reported by:| **xav0 ** \nRemediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md>)** \nExport Vulnerability Data:| Bugzilla Vulnerability Data \nJIRA Vulnerability Data [ Configuration ] \nMantis Vulnerability Data \nSplunk Vulnerability Data \nXML Vulnerability Data [ XSD ] \n \nVulnerable URL:\n\n![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAKNElEQVR4nO3dX0hT7R8A8JMunXqmM3XanK9OQrwQixDR0IouSmzImv8iLI3EIpaJlJiCmZHZwuiPiRddVBcVEUOGFyLShYqImS1btkRkDlORac6mLdGd9+LwPpzOzjnafjvN+ft+rvY8Puf7fL/POed98tF6dxAEgQEAAAA88PF0AgAAALYt2GMAAADwBfYYAAAAfIE9BgAAAF9gjwEAAMAX2GMAAADwZUvsMXK5/OPHj2xN4AKPr6HHEwAAbAWe32M+ffrkcDj27t3L2AQu8PgaejwBAMAWscEeMzk5KRKJGL9ktVpv377N1tw8nU6Xk5NDa3LMy2bDBFyI6aVoS7qlEnDXXfj7dxPNuJmp2cZQ+9k+u/wqAbAFuf59zOLiYmNjI1tz8xj3mP89n/9nW3mP8V6xsbEWi4WnINR+eJLBduLhs7KZmZmxsbHDhw8zNoELPL6GHk+AP/7+/vwFcUtwALaaTe0xDx48kMvlYWFhp0+ftlqtGIZZrda4uDibzbZjx45nz55Rm/fu3ROJRHfv3o2MjAwNDS0uLv758ydbZJ1Od/To0Z07dzI2nefFMGx5efn8+fMRERExMTE3btxYX193zgfDsF+/fp07d04kEsXGxl6/fp0cRvXu3bvMzEyRSBQdHZ2bm/vlyxeyn+3CmZmZ48ePi0QiuVze3NwcGhqK4qSnpwcEBEREROTn53/79o0jOLK+vn7t2rXIyMigoKD8/Pz5+Xm26shTlObmZrlcHhQUVFhYOD8/f/Xq1YiIiLCwsLNnzy4vL7MtKWMafBdITYCtTMY7y5YbWxDk8+fPYWFhvb29DE/Y73ecVkhhYeGtW7fQgPT0dPLhYSyZ7fiLcTDpzp07tLdgwzM02pP8+PHjY8eOoWG1tbXFxcXcZQKwpWy8x9hsNr1e39/fPzg4OD09XV1djWFYSEiI0WjEcdxutxcVFVGbJ06csNlsg4ODQ0NDQ0NDw8PDGo2GLTjHQRnjvBiGlZeXT09PDw8Pd3Z26nS61tZW53wwDGtoaFhZWRkZGens7Ozp6Wlra6NNrVAoSkpKzGZzX19fRkaGUCgk+9kuVKvVfn5+4+Pj3d3dz58/R3GGh4fLyspmZ2cNBoNMJlOr1RzBEY1G093d3d3dPTY2JpVKR0dHOaojl6Kvr0+v109PTycmJloslpGRkYGBAZPJVFNTw7akjGnwXSA1AcYy2e4sW25sa0WyWq0qlaqpqSkzMxPj5FxIQUFBe3s7+dWZmRm9Xq9UKtlK3nxYst9msw39h/stoKI9yUqlsqen58ePH2htVSrVZuIAsFUQnEwmE4ZhS0tLZLO/vz8+Ph59Ccdx6kiySV5iNpvJfq1Wm5KSQn42m81xcXHoEpvNhuP4wsKCc5Nt3rW1NRzHJyYmyH6dTpeWlsaYT3h4uM1mIz/r9frU1FTqgIWFBYFAYLfbnUt2vpCcVygUonm1Wq1YLHa+dnx8PCoqiiM4IpFIhoeHaZ2M1ZFLsbi4SHb29fX5+PisrKygldmzZw+KQF1DtjR4LZB2T53L5Hii2HJjXCt0N7Ozsy9evOicCTeykJWVleDgYPJZbW1tzcnJYRtJ/P6EU580tsGMbwH12s18JggiLS3tzZs3qJ/7uQJgqxFsuAnhOI6+u5dKpQsLCxteIhQKY2JiyM+JiYlmsxld3t/fj4Z1dXWlpqaiMxlak3Heubm51dVVuVyOgpMvM833798tFktcXBzZdDgcAsFvlYaGhubl5aWlpR05ckQqlaakpBw6dIjjwrm5OYfDQZ0Xhfrw4UNVVdXo6Ojq6qrD4XA4HGzBEavVurCwkJycTEubrTocx0NCQshOmUwWHBwcEBCAVob6M2TqGjKmwXeB1ATYymR7ohhzYwtCqq2t7ezsfPLkCeNXaZwLCQgIyM7Obm9vv3TpklarLSkpYRv5R2HJfra34E8plcqOjo7c3NyOjo7s7Gz4sQ3wLhvvMW7k6+u7e/du1HTXb5Q5s9vtPj4+Q0NDaGvx8fFZXV2ljnn58uX79+8NBsP09HRlZeWBAwcePXrEeCH3XEqlsrS0tK2tTSgUTk1NZWVlsQWnXejr6+uWYqloa+icRk1NDa8FOt/EzZfJsfiMQVZWVrRa7atXr9RqtUqlQtvwHxVSUFDQ0tJSVFQ0ODio1Wo5Rv5RWDdSqVQZGRkYhnV0dKBdEACvwf1tjvOBGDpC2eRZWXt7Ozoro1pbWwsPD0eHM7Qm27ybPyvDcdz5lIbtiEOv18tkMrYLif+OkkwmE9lER0lzc3MCgYAax/mIiRockUgker3eeRbGszK2W0Br0taQLQ3+CnROwLlM7nIYc2NcK5PJJBAIRkdHCYJQKBRqtZqxaoStELvdvmvXrvv376tUKu6RjGdlHIMZ3wIXzsoIgkhKSuru7haLxeiMEQBv4foeY7PZBALB2NgYrUm+XXl5eVNTUwaDYd++ffX19SgCOk3u6elJSkpC/bQmx7ylpaU5OTlms9lgMOzfv//hw4eM+Vy4cCEtLY38g7ZGo2loaFhaWhIIBEajcW1tbXR0NCsr6+3btxaLxWw2l5aWKhQKtgvJ/ry8PKVSaTKZDAZDcnIyykcikbS2ti4uLo6NjSmVSrFYzBEcld/Y2JiamjoyMjI1NaVWq3t6etiq2/weQ1tDtjT4K5CWAGOZ3OUw5sa4VtQ4RqNRKBSOjIwQnJwLIftPnToVHBz8+vVr7pFoRuqDxDGY8S2gpk2NQ+2nPckEQdTV1SUnJ6OnCAAv4voeQxBEfX19YGDg06dPqc3m5mYcx5uamiQSiVgsPnPmDPoBNTXalStXampqUChak3tvKysrCw8Pl8lk9fX15HvunI/dbq+oqJDJZIGBgdnZ2eQfrqurq8kBq6ur9fX1CQkJfn5+EomkqKhodnaWDMJ4IUEQs7OzCoUCx/G4uLimpibqf9lTUlKEQmFUVFRlZaVYLGYLTi1qbW2tqqoqPDxcKBQqlUqLxcJW3eb3GNoasqXBX4G0BBjL5C6HMTfGtaLFKS8vP3jwIMHJuRCyv729Hcdx9JSyjaTOiB4k7sEajYb2FtDSRnFo/bQ3S6/XYxiGmgB4kQ32GBdwHElRJSQkDAwMsDW3OKPRKJFIPJ0FnRvX0LUCvesmehGbzSYUCtFv6wHgRf7qz/ypvn79ytHc4vR6fXx8vKezoHPjGrpWoHfdRC/S1dWVkZGBfuUSAC/isT3G69y8eVMqlebk5ExMTNTU1NTV1Xk6IzfbHgVGREQw9k9MTHjpv4hqtVpbWlpOnjzp6UQAcMUOgiDcG3FycjIpKQn9zeRto7e3t6KiwmAw/PPPP2q1+vLly57OyM22R4HUf8qFKjo6+i9n4i7+/v4KheLFixfwN2OAN3L/HgMAAACQPP//KAMAALBdwR4DAACAL7DHAAAA4AvsMQAAAPgCewwAAAC+wB4DAACAL7DHAAAA4AvsMQAAAPgCewwAAAC+wB4DAACAL/8CDMGNf426jIcAAAAASUVORK5CYII=) \n--- \n \nHTTP POST data:\n\n![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAImklEQVR4nO3cb0gT/x8A8HOdOvRGun9WGmqE9CBMokRIIzJCRET6Y0mrFkmZmAyxMHvQ2oMpZg/qQfTAwiCoByGxRwYSscYwNTmvtdZImUOWwRwuTtts634Pju9x7W63czrd+r1fj3YfP5/Pvd/nx3tvnxumURSFAAAAAAkg2ewAAAAA/LOgxgAAAEgUqDEAAAASBWoMAACARIEaAwAAIFGgxgAAAEgUqDGiFBcXT01NbXYUICGmpqauXbsm0OH3799NTU0/fvwQOSGsFgAYUGNi+/Tp058/f/bt27fZgYCE0Gq1RUVFAh3S09MzMjI6OzvFzAarBQC2eGrM7OysTCZb44lXO0ncJ117tCaTqb6+fi0ziAzD7/f39PSImWR2djY3N3eNIa3WuqSQDNhBLiwsEASh0+mYnwaDwaampohMdTrdyMiImMmTZ7UAkAxS5nNMYWGh1+vdlFOvy11DTPyLi4tGo3GNJ0qcfyAFGjtIkiSzsrIyMzPpw2AwWFNTEwqFIobI5XKSJMVMDqsFALaUqTEIgjA3glVBUbSkpCTuk37//t3pdB45ciTuGRjxxc/G5LLGpOK29hSS3Pz8/LFjx/r7++MbnlSrBYBkELvGhMPhW7du5eXlZWdnnz59emFhgW5/8OBBcXGxQqE4f/683++nG4PB4OXLl2UyWWFh4Z07d8LhsPAktM+fPysUivfv3wuEwd49oF/fv3+/uLg4Nzf33LlzTABc+fn5Hz9+ZA7fvHkjnG9EB5PJdPz48fT0dARBxsfHq6qqZDJZfn7+yZMnv3z5Ei01OsKenh6VSrV9+/YnT56wt7lkMtm9e/fy8vJyc3MvXrz469cvBEH8fn9RURFJkmlpac+ePeMNlcklPz//w4cPIjNi99n0FASGc8+IIMjS0tLVq1dVKtXOnTvv3r0bDofZv/3s7OwzZ84sLCzcuHFDpVIpFIpLly4tLS2tKki2wsLC27dvx7yevNcWSbLVAkAyiF1j+vr6RkZGRkZGnE7njh077HY7giAkSeI4brVax8bGPB5PV1cX3dlgMCwvLxMEMTw8bDabHz9+LDAJze/3nzhxore3t6qqSnzcJEkSBEEH4Ha7u7u76XYVR8RArVZbXV3NrjqM8fHx6upqrVbLbmRvfdTV1Wm1WrfbbbFYKisrpVKpQGokSTocDpvNNjg4WFlZGRH82NjYxMTExMTE5ORkX18fgiBbt251OBwYhgUCAY1GIxyqyIy4SSVJCrzDec/Y3t7u8XgmJyeHh4dNJtOjR4+Q/5afxWLBcdzj8ezZs8fr9RIEMTo66nK5mMUgMsi4cRdM8q8WADYaFYtarZ6cnGS3uFwuBEF+/vxJH1qt1l27dtGvlUolSZL0axzHy8vLBSbBMIyiqNra2tbW1phhMP25AVgsFiaAOY6IeUiSNBqNcrm8sbHR6XTSjU6ns7GxUS6XG41GJn66M4ZhPp+Poiifz4eiaCAQiHl9mAjpgRHx0z9yu910+9DQ0IEDB7g5RguVK1o3blJJkkK04dwzhkIhDMNmZmboQ5PJVFFRQXdbXFykGy0Wi0QiWV5epg+tVuvu3bvFBxkRcLTGiBbeBZMSqwWADRajxiwuLqIoGgqF2I0Ri9vlcuXk5FAU5fP5EARR/kcul6vVauFJuru7JRLJ06dPYwYqcF9gAhDP5/M1NDSgKEofoija0NDA3LYYQ0NDR48eZQ7Pnj1bVlbW0dHR39//7t27aKlxI6T+vmtIpVKm3W6301eJdxQ3VJEZRUsqGVKINpw71uPxZGRkMIdOp3Pbtm3Cv33mUGSQ8dUY3mubQqsFgA0j6pn/li1bxHQLBAISiWRiYgLHcRzHCYLAcVxgkuXl5aGhoZcvX3Z1dQk8UFmVmHtlCIJMT0+3tbWZzWaDwUC3GAwGs9nc2to6PT3N7hnxHaEXL14MDAyUlpaurKx0dHRcv349WmrrhRuq+G68SSVtCqmF99qmymoBYEPFrEJqtRrHcXaLwBtJDMO4WwHRJkFR1G63UxRVV1fX1tYmHIbIzzEx98paWlowDOvo6PB6vex2r9er0+kwDGtpaaFbQqGQUqlkNmoi4DheUFDAmxo3Qurvd6YIa/fj9evX0XY/ooUqMiPepJIhhWjDuWeMtlcm8nOMmCDj+xxDca5tqqwWADZY7BpjNBrLy8sJgpibm6PfJQn8kbe0tFRUVNhsNo/H09fXZzAYxEzicDikUilBEAJhrNdemUajcblcAmfRaDT0a7PZvHfvXuZHdru9pqbm7du3Xq/X7XY3NzfX1dXxpsaNkOLcNU6dOjU3N2ez2crKyvR6Pd2HJEkURZnNdOFQRWbETipJUog2nPd239zcXF9f73a7bTbb/v37Hz58uKoaEzNIt9vN3oyKyJTx7ds33jXGXNtUWS0AbLDYNSYUCt28eVOpVEql0oaGBq/XK/BHHggEdDpdQUFBVlZWbW0t87Yu5iTt7e2HDx8WCGN9n8eI0dnZ2d3dzRyurKzo9fqSkpKMjAy1Wq3RaObn5ym+1LgRUn/fNTAM6+3tVavVOTk5Fy5cYJ5XUxSl1+uzsrIGBwfXPZ3kSSHacN4aQ5LklStXlEplQUGBXq8PhULia4yYIAOBgFQqjXhIzo3k1atXpaWlAtf231stAKyL2DXm/1ZJScno6Oi6T8t7J00ta0xhY66A+LO0t7ezn9VzBQKBoqKigYEBgT6wWgDghW7s059U8vXr180OAWyE/v5+9pdTuDIzM58/f37o0CGBPrBaAOCVdDWG95tgCILMzMys/R9xAsCVnp5+8OBB4T7CBQYAEE3S1Zho7yihwAAAQMpJoyhqs2MAAADwb0ql/7sMAAAgtUCNAQAAkChQYwAAACQK1BgAAACJAjUGAABAokCNAQAAkChQYwAAACQK1BgAAACJAjUGAABAokCNAQAAkCj/A36iPBdM6GSiAAAAAElFTkSuQmCC) \n--- \n \n**Screenshot:** ![hotelsegas.com vulnerability](/twimages/screen-1192913.jpg)\n\n**Mirror:** [Click here to view the mirror](<http://1192913.openbounty.org/mirror/>)\n\n### Coordinated Disclosure Timeline\n\nVulnerability Reported:| 11 June, 2020 15:28 GMT \n---|--- \nVulnerability Verified:| 11 June, 2020 15:38 GMT \nWebsite Operator Notified:| 11 June, 2020 15:38 GMT \na. Using the ISO 29147 guidelines| ![](/images/done.png) \n---|--- \nb. Using publicly available security contacts| ![](/images/done.png) \nc. Using Open Bug Bounty notification framework| ![](/images/done.png) \nd. Using security contacts provided by the researcher| ![](/images/done.png) \nPublic Report Published \n[without any technical details]:| 11 June, 2020 15:38 GMT \nVulnerability Fixed:| 10 September, 2020 07:46 GMT \n---|---\n", "published": "2020-06-11T15:28:00", "modified": "2020-07-11T15:28:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.openbugbounty.org/reports/1192913/", "reporter": "xav0", "references": [], "cvelist": [], "lastseen": "2020-09-12T07:46:35", "viewCount": 3, "enchantments": {"dependencies": {}, "score": {"value": -0.1, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.1}, "openbugbounty": {"patchStatus": "patched", "mirror": "http://1192913.openbounty.org/mirror/"}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645815116, "score": 1659818015, "epss": 1678895942}, "_internal": {"score_hash": "f54ea4c8068a6fd793b4570df78c0b5c"}}