Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:
      a. verified the vulnerability and confirmed its existence;
      b. notified the website operator about its existence.
Affected Website: |
pigati.com |
Open Bug Bounty Program: |
Create your bounty program now. It’s open and free. |
Vulnerable Application: |
Custom Code |
Vulnerability Type: |
XSS (Cross Site Scripting) / CWE-79 |
CVSSv3 Score: |
6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] |
Disclosure Standard: |
Coordinated Disclosure based on ISO 29147 guidelines |
Discovered and Reported by: |
xav0 |
Remediation Guide: |
OWASP XSS Prevention Cheat Sheet |
Export Vulnerability Data: |
Bugzilla Vulnerability Data |
JIRA Vulnerability Data [ Configuration ] |
|
Mantis Vulnerability Data |
|
Splunk Vulnerability Data |
|
XML Vulnerability Data [ XSD ] |
|
Vulnerable URL:
![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAIyklEQVR4nO3ca0hTbxgA8NM0L7mjbTqdc6azQRJiYsMmmIlEmI1hlBfK0AgsREWkJKXsIhUoRoFYH0RQor6UyIiQEAobI1TWaeZdzE3d8jZdzTXFbf8Ph/9huZ1dXfPv//l9Ou/Zed/3eZ4Pe9i76R6TyYQAAAAAHkDxdgAAAAB2LegxAAAAPAV6DAAAAE+BHgMAAMBToMcAAADwFOgxAAAAPGVH9BgOh/P161ey4a6xW/MCAAAy3u8xg4ODRqPxyJEjVoe7xm7NCwAAbLDTY+RyOYqiVl/SaDSPHj0iGzpOJBIJhUKyoePx2GUeoTvruAbP6+/v6w43o/VuwQEAO4Hrn2NWV1cfPnxINnScUz0mJiZmaWnJhV2QPyN0Zx3X2M5rV/JuwQEAO4GXz8pUKtX4+HhGRobVoVX+/v7bsvV2reMIR/La9f5mwQEAO4RDPebp06ccDic0NPTSpUsajQZBEI1GExsbq9Vq9+zZ097ebj58/PgxiqKNjY0RERE0Gq2oqOj3799kK4tEolOnTu3du3fLED9asVzE/MhFpVKdOXMGRVEOh9PU1ESj0fD7/f39qampgYGBDAYjNzd3bm7OMmCyoxuDwVBTUxMREREUFJSbm7u8vIzfX1tbu3r1KoPBiI6OvnfvnsFgwFdoamricDhBQUH5+fnLy8s3btxgMBihoaGXL19eW1sjS9Oyntuyy/r6+pUrV1AUjYmJuXPnjsFgsFrz/Pz8Bw8eEMPU1NT29narRTO3pWJyuZwouNWa2y647UxpNNrFixfNK9Pf33/8+HEURaOios6dOzcyMmI1NQDATmO/x2i1WgzDJBJJX1+fUqm8efMmgiAhISGjo6NUKlWv1xcWFpoPz549q9Vq+/r6BgYGBgYGpFJpQ0MD2eI2DsrsLlJWVubn5zc5OdnT09PR0UHcl0qlJSUlP378+PbtG5vNLisrswyYLJ6Ghoaenp6enp7x8XEWizU8PIzfr6ioUCqVUqm0u7tbJBK1tLQQlRGLxRiGKZXK+Pj4paUlmUz2+fPn6enp2tpasrws67ktu9y/f1+n08lksu7u7t7e3ufPn1vNMS8vr6urC79WqVQYhuXk5FgtmuMsp9suOFmmMpkMr4xCoTBPTSAQFBcXKxQKsViclpYWEBDgVHgAAK8x2TQ9PY0gyM+fP/GhRCKJi4sjXqJSqeZP4kN8ikKhwO93dnbyeDz8WqFQxMbGElO0Wi2VSlWr1ZZDskWIXTY3NwMCAqampogH9u/fbxn/5OQkk8m0DHhL8ITw8HCpVLrl5ubmJpVKJfYSiUR8Ph+PcHV1Fb8pFospFIpOpyMKxeVyyfKyWk83dzGZTGFhYVqtFr/GMCwlJcUyQZPJpNPpgoOD8dq2tLQIhUKyotmo2PT0tNWCOzLdRqZEZcRiMVEZtVrt6+ur1+utbgcA2Ml87TYhKpVKnHKwWCy1Wm13SkBAQHR0NH4dHx+vUCiI6RKJhHjs/fv3KSkpxJHLliHZIriFhQWj0cjhcIgHiJe+fPlSXV09PDy8sbFhNBqNRqPdgHEajUatVicmJm65v7CwsLGxYb4X/oZIpVJDQkLwm2w2Ozg4ODAwkMiU+Ip7S15k9XRzl5WVlaWlpdjYWHxoNBp9fX0RBGEwGEQii4uLCIIEBgZmZ2d3dXWVl5d3dnYWFxe7UzScU9NtZEpUhs1mE5Wh0Wjnz5/n8/mZmZksFovH4504ccKp8AAA3vJXv/P38fGJjIwkhk79osxxOTk56enpvb29GIa9e/fOhSDdj8Hc3/lFmV6vp1AoAwMDGIZhGCaTyTAMQxAEM0M8jB+Xrays9PX14bG5WTQ3p9v16tWr1tbWxMTEjY2Nqqqq8vLybd8CAOAJHukxer1+ZmYGvx4fHz9w4IDlMwaD4e3bt8Sb75ah3UXCw8MpFIpcLseHo6Oj+MXi4qJSqbx9+/bBgwejoqKcOrgPCQmh0+mWf4ofHh7u5+f3/ft3Yi/i44JdlnmRcWcXBEEiIyP37dunVquj/oW38ygzxMPZ2dkYhnV0dJw8eRJFUUeKRqfTdTrdr1+/8OHs7CzxkrM1dy3To0ePFhUV1dTUtLW1Ed8nAQB2ONd7TFhYmF6vn5iYsDqsqqqam5sbGhq6e/euQCAgZq2vr+MXEomEyWQSByZbhrYXQRDEx8dHIBBUVlbK5XL8Afw+g8Gg0+nPnj3TaDQTExPEfcsILUNCEKSysrKkpGRwcHBubq68vPzTp0/4XgUFBZWVlTMzM/heFy5ccLBKVvOyyp1dcIWFhaWlpUNDQyqVqrGxsb6+nuxJf3//rKysurq6goIChLxodDpdr9ePjY0ZDAYURXk8XlVV1fz8/MTEhPlPFcimkxXc2UxHRkZOnz794cOH5eXlmZmZ5ubmpKQkpyoDAPAW13tMUFDQrVu3kpKS2tvbzYdv3ryhUqk8Hi85OTktLS0xMbG6uhqfIpfLw8LC8Gu7B2VkixCam5s3NzcTEhIEAoH5m9Tr16/b2tqYTGZ6enpcXBxZwJYhIQhSXV2dkZGRmZnJ5XJnZ2cPHz6M33/y5AmTyUxOTs7KyhIKhaWlpQ5WyamDMpd3Iabz+fysrCwul/vx40cbP59DECQvL89oNBKd22rRUBS9fv16cnLyixcvEAR5+fLl1NQUl8vNycnJy8szX83qdKsFdyFTLpfL5/OvXbuGfxmj1+tbW1udKQwAwGv2mEym7V1RLpcnJCQQhypkDh061NHRcezYMatDBxchjI2Npaenz8/Puxy2h2zJCwAA/lfs/67MQ8bGxmwMnYVhmPlHlp3DzbwAAOA/zWs9xn319fUsFksoFE5NTdXW1tbV1Xk7IgAAAH/w/v/2d1lGRkZLSwubzS4sLKyoqCgqKvJ2RAAAAP6w/d/HAAAAALj/8OcYAAAAOxz0GAAAAJ4CPQYAAICnQI8BAADgKdBjAAAAeAr0GAAAAJ4CPQYAAICnQI8BAADgKdBjAAAAeAr0GAAAAJ7yD1N+0NNv7RwmAAAAAElFTkSuQmCC)
HTTP POST data:
![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAIC0lEQVR4nO3cf0gT/x8H8KtOXXarOeY0FbR/tD/E/MOsyCJSTEJiUErCqIERFkZjSPQLkv0xw/Z39EeBRdQ/IeIfUmARo39KG+cay4bGHGoWc8w6bLPZff44vsd9trvtPnM3p9/n4y/vde+79/t173f32t5KW1iWJQAAABSwdb0HAAAAmxZqDAAAKAU1BgAAlIIaAwAASkGNAQAApaDGAACAUlBjYu3Zs2diYmK9RwGyTExMXLp0Sersnz9/Ojo6vn//LvNumHqAtEON+ZdPnz79/ft337596z0QkMVkMlVUVEidzcnJyc3N7enpkXMrTD2AEtJQY2ZmZgoKCuTHFTUzM6NWq1O+fHh4+NSpU5kZw9LSUl9fn5z7ZP5JpiuFNd4/cY+Li4sul8tsNvNnI5FIR0eH8M5ms3l0dFTOnbNq6gE2DXyP+Ze0vGjKy8sDgUDSZqFQyGazrbEvhWRtCsIeGYbJz8/Py8vjDiORSEtLSzQaFbbXarUMw8i5M6YeQAmbrcaQJFlZWZnatd++ffN6vceOHVv7MPgX31rwuawlqZSlJYVMWlhYaGpqstvtKVybbVMPsGkkrzFjY2OHDh3avn17YWFhW1vb3NwcQRBzc3MnTpxQq9VVVVXPnj3jG4vGuQ2Evr6+wsLC3bt3P3r0iCCISCTS2dmpVqvLy8vv3LmzurrKd3fkyBG1Wl1aWnr69OnPnz9LBUWVlpZ+/PiRP3z16lXi7IQNhoeHm5ubc3JyEvS4urp648aNoqKiHTt2tLW1LS4uxmcn3DDhfr53715RUVFBQcH58+d///5NEMTS0lJFRQXDMFu2bHn8+LHoUPlcSktL379/n0JGollkMgVCYv3EEF0M8aOK71GovLz81q1biR+O1INax6lPOqEAG1ryGuN0Oi9evLiwsOB2u8vKyrq7uwmC6O7u3rlzp8fjGRkZEdYYqTjDMJOTk263e2BgoKGhgSAIq9W6vLzscrlevnzpcDgePHjAtWxtbTWZTH6//927dw0NDSqVSipIEERhnJjBm0ymxsZGYdXhjY2NNTY2mkwmPiLcLZHqsb+/f3R0dHR01Ov1lpSUeDwe0eyEGIb58OHD+Pj4+Pi40+ns7+8nCGLXrl2Tk5MURYXDYaPRmHioKWckmkWGUxBdPzGkFkPMqOJ7TE1WTb3MeQfYqNj/Ympqqri4OBqNqlQqv9/PBQcHBzUaDcuyUnGfz0cQRDAYFN5Kp9MxDMP9TNN0fX09y7LBYJAkyXA4LGwpGuTMxolpwDCMzWbTarXt7e1er5cLer3e9vZ2rVZrs9n4MTAMQ1EUN8gEPer1eqfTKYzEZ+fz+SiKEp4VPpO6urr4ZlJDjSc/I6ks1jEFbv3EXyi6GESXTczAhDcRDcYcZuHUy5x3gA0qeY1xOp1NTU0lJSU6nU6r1Wo0mvn5eZVKxTfweDxcLZGKx78LgsEgQRC6/9FqtXq9njt19uzZ2tpai8Vit9vfvn2bIChfMBg0GAwkSXKHJEkaDIZQKCRsMzg4ePz4cf5QtMdQKESSZDQaFV4Yn13MiybmmfCZir4iY4a6loxEs8h8CvHrJ+ZCqcWQtISkUGOyduplzjvAhpN8r8xgMBw9etThcNA0PTIykpYvT+FweOvWrePj4zRN0zTtcrlomuZOPX/+/OHDhzU1NSsrKxaL5cqVK1JBQsZeGUEQ09PT3d3dDofDarVyEavV6nA4Ll++PD09zTeL+bMiqR4Jgti2bVtaHoKcocpsJpoRIZ1FJlNIun4SLIa0y86plznvABtS4hL048cP4WcrmqY1Gk3MntjQ0JDoXhkfF/28SVFUzM5DPJqmy8rKEgST7pV1dXVRFGWxWAKBgDAeCATMZjNFUV1dXdzIdTrd169fkw5Dr9fTNC08m/TDLCHYMBkaGpLaaJIaamoZJcgikymIrp/4C0UXgxLfY9jsm3qZ8w6wQSXfK9Pr9ffv3w+FQl6v12AwcO8Ig8Fw5syZ2dlZt9tdW1vLBaXiou+Crq6ugwcPut3u+fn5/v5+q9XKsqzH42lpaXnz5k0gEPD7/RcuXGhtbRUNykzPaDT6fD6psz6fz2g0sizrcDiqq6v5eIIebTZbfX29y+WanZ3lPnvKedEIn0lvby93imEYkiT5LfjEQ/2vGSXIIsMpiK6fnz9/kiQ5OTnJ7T6JLgbRZSPs0e/3Czej4kfOsuzU1BS/OEUf1LpPvcx5B9igktcYh8NRV1enUqmKi4stFgv3L3Z2dra5uZmiqMrKSrvdzv8zFo2LvizC4bDZbC4rK8vPzz958iT3QXJlZaW3t7eysjI3N1ev1xuNxoWFBdFgep9CT0/PzZs3+cMEPUaj0WvXrul0OpVKZTAYAoFA0hcNRVF3797V6/UajebcuXPLy8t8y97e3vz8/IGBgfSmkziLDKcgun5Ylr1+/Tp/oehiEF02wh7D4bBKpYr5PXnMVS9evKipqUnwlDbl1ANkjy0sy67PJl02qaqqevLkyYEDB9J+55mZmerq6l+/fqX9zhmTzSlcvXrV7Xa/fv1a9GwkEtm7d+/t27c7Ozul7oCpB1AUud4DyApfvnxZ7yFAKux2e4I/EMjLy3v69Onhw4cT3AFTD6CozfZ/ycD/lZycnP379ydokLjAAIDSUGMAAEAp+H0MAAAoBd9jAABAKagxAACgFNQYAABQCmoMAAAoBTUGAACUghoDAABKQY0BAACloMYAAIBSUGMAAEApqDEAAKCUfwAaqg184xpLZAAAAABJRU5ErkJggg==)
Screenshot: ![pigati.com vulnerability](/twimages/screen-1192924.jpg)
Mirror: Click here to view the mirror
Coordinated Disclosure Timeline
Vulnerability Reported: |
11 June, 2020 15:30 GMT |
Vulnerability Verified: |
11 June, 2020 15:39 GMT |
Website Operator Notified: |
11 June, 2020 15:39 GMT |
a. Using the ISO 29147 guidelines |
![](/images/done.png) |
— |
— |
b. Using publicly available security contacts |
![](/images/done.png) |
c. Using Open Bug Bounty notification framework |
![](/images/done.png) |
d. Using security contacts provided by the researcher |
![](/images/done.png) |
Public Report Published |
|
[without any technical details]: |
11 June, 2020 15:39 GMT |