Lucene search

K
openbugbountyXav0OBB:1192930
HistoryJun 11, 2020 - 3:31 p.m.

risquesnaturels.re Cross Site Scripting vulnerability OBB-1192930

2020-06-1115:31:00
xav0
www.openbugbounty.org
4

Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:

&nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence;
&nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence.

Affected Website: risquesnaturels.re
Open Bug Bounty Program: Create your bounty program now. It’s open and free.
Vulnerable Application: Custom Code
Vulnerability Type: XSS (Cross Site Scripting) / CWE-79
CVSSv3 Score: 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N]
Disclosure Standard: Coordinated Disclosure based on ISO 29147 guidelines
Discovered and Reported by: xav0
Remediation Guide: OWASP XSS Prevention Cheat Sheet
Export Vulnerability Data: Bugzilla Vulnerability Data
JIRA Vulnerability Data [ Configuration ]
Mantis Vulnerability Data
Splunk Vulnerability Data
XML Vulnerability Data [ XSD ]

Vulnerable URL:

![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAHdklEQVR4nO3aX0hT7x8H8ONcteZZOdumroXOoCKivBj2B6PwwiwkjPKq9QcKL8JAhoh50yjI0Cz6A3kTrG66C/EqRAhMdmFrLf//I3I5NZmz2cHmmNv34sDhsHPOs6Nfj+v3/b1fV3vOzvM+n/Px1LM9mpFIJCgAAAAFqNJdAAAA/GdhjQEAAKVgjQEAAKVgjQEAAKVgjQEAAKVgjQEAAKX8FWuM1Wr9+vWr1BA2B9oOABsu/WvMwMBAPB4/cuSI6BA2B9oOAEpIscZMTU3pdDrRt8LhcHNzs9RQvs7OzvPnz0sN5VTyd1p3Q0QpfftSbV8T5Yr8n/vpAwBr/d9jfv369eDBA6mhfDLXmIKCgmAwuI78dFl3Q9JiQ9YYAIAkad4rm52dHR8fP336tOgwybZt2zatsP8r5LYDAKybrDXm6dOnVqt1165dV65cCYfDFEWFw+HCwkKGYTIyMl6/fs0fPn78WKfTtba25ubm6vX6a9eu/fnzRyq5s7OzvLx8y5YtSUN2b6S5udloNObn57969Yq/W/Lp06eTJ0/qdLrdu3dfvHhxZGSEPR4IBM6cOZOVlbV3794nT57o9XpKsM0yNTXFHqcoamVl5caNGzqdrqCg4O7du6urq1L5bEhbW5vVatXr9ZcvX2b7wJ58/Pjx7du3G43G6urqQCAg7I9UDcLbJFTFJ9UBLn9NsYS2Eyaurq7euXMnNzc3Kyururp6YWFB6mmR6rbo5aRipZLltAsA0iX1GsMwjM/nc7vdfX19MzMzjY2NFEXt3LlzdHSUpulIJGK32/nDCxcuMAzT19fn8Xg8Ho/X621paZEKJ2yUMQwzOjo6ODjocrlKS0v5syorK69fv+73+3t7e0tLSzUaDXu8trZ2x44do6OjXV1dLpcr5a3du3dveXm5v7///fv3PT097e3thHyGYfr7+9k++P3+pqYm9mSv11tTUzM3Nzc4OGixWGpra4X9Ibc36TalqpLTgfXFktsuNbGlpaW7u7u7u3t8fNxsNg8PD1MSTwuh28LLicYSkuW0CwDSJkH0/ft3iqKWlpbYodvtLioq4t6iaZp/Jjtkp/j9fvb4u3fvbDYb+9rv9xcWFnJTGIahaToUCgmHbAj3Fj8/FAqp1epIJJJUaiwW02g0/OtmZ2eL1skeTyQSBoOBYRj2tc/nKykpkcpP6kNvby/XB77Jycm8vDxhf6RqEN6mVFX8BKkOJFUrJzaRqu2EiSaTyev1ErrEf1pEc0QvJ4wlJ0uVBwB/A3XKRYimaW6fx2w2h0KhlFM0Gs2ePXvY1wcOHPD7/dx0t9vNndbV1VVSUsLtXCUNaZrmXvPp9fpLly4dO3asrKzMbDbbbLZTp05RFDU/P09RFP+65CIXFxeDwWBhYSE7jMfjarWakM/vg8Vi4frw5cuXhoaG4eHhaDQaj8fj8XjK/vAl3aZUVXI6sL5YctulJobD4VAodPjwYeF1RZ8WqZyky0nFSiXLaRcApNGm/oPMzMzMz8/nhjL/okzo7du3nz9/HhwcnJmZcTgcJ06ceP78+VqLiUQiKpXK4/Fw/yupVCqp/Pr6eqmcqqqqmzdvtre3azSa6enpioqKtVYisyq+tXaAEEtuO7mezMzMf3Nf0WhU9OR/GStzLgBsBvLXHMJGk8y9so6ODm6vjC8WixkMhm/fvokOk8JFj7B8Pp/FYkkI9so6OjrYUpeWllQqFX+bi7sFmqaF2zKi+VJ9mJ+fV6vV/JNF+yNVg+hNiVYldfv8DpBPFo1N2XapiYlEwmQy+Xw+wnX5T4tojujlhLHkZDk/RABIl/V/6DMYDJFIZGJiQnTocDgCgcDQ0JDT6aysrORmrayssC/cbndeXp7VahUdEoyMjJw9e/bDhw8LCws/fvx48eJFcXExRVGZmZkVFRX867Ln63Q6m83mcDh+/vw5MTHB/y203W6/devW0NDQ7Oxsa2vr/fv3CfmijEZjTk7Oy5cvw+HwxMQEd9GkhhBqEBKtKicnJxKJjI2Nra6uEirk2iszVk7bRSdSFFVXV1dTUzMwMBAIBG7fvv3x40dCCCEniUKxAJAe5CWI/MnU6XRqtVqXy8UftrW10TT98OFDk8mUnZ199erV5eVlYVp9fX1TUxMXlTQkfI+JRqNOp3Pfvn1bt241mUx2u31ubo49Z3p6ury8XKvVFhUVPXr0iCt1cnKyrKyMpumDBw8+e/aMOx6JROrq6iwWi1arPXfuHPtxXjSf0Ieenh6bzabRaPLy8hwOh1R/RGsQ/SAvWlUikWhsbGTTpDrA/yopMzZl2wn1xGKxhoYGg8Gg0WiqqqqCwSD5aRHmiF5OGCssjJ8sVR4A/A0yEonExi5aU1NThw4d+v37N/m0/fv3v3nz5ujRo6LDDSmjuLh4cXFxowL/kza87QAAfGn7I5yxsTHCEDYH2g4AisIf4QAAgFKwxgAAgFI2/vcxAAAALHyPAQAApWCNAQAApWCNAQAApWCNAQAApWCNAQAApWCNAQAApWCNAQAApWCNAQAApWCNAQAApWCNAQAApfwD9hkzO7Uka9kAAAAASUVORK5CYII=)

HTTP POST data:

![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAI80lEQVR4nO3cb0gTfxwH8G8253A30m3ObIZ/EulBmESJkEGkhISIUFnSskVSK0qWWJQFrRFTzB7kg+iBgUHUkxDZIwMJGSKmJudaZiNlDllGc2icutnsfg+O33Hsbue57abZ5/XIO7/3vc/729d93E3aRpIkAgAAAESQsNEFAAAA2LKgxwAAABAL9BgAAABigR4DAABALNBjAAAAiAV6DAAAALFAj4lcTk7O2NjYRlcBxDI2Nnb16tVw3/39+3dNTc2PHz8Ezga7BfyboMdE6NOnT3/+/Nm/f/9GFwLEotfrs7Ozw303MTFRKpU2NjYKmQp2C/hnbeoeMz09rVAo1nXJz58/z507p1KptFrtzZs3A4FADCdnslqtlZWVEV8uvIaFhYXm5maB80xPT6empkZZ1boIXEYhKTYcs8i5uTm73W40GunvBgKBmpoaZlij0djb2ytk5rjtFvSXLDX4d2zqHhOB2tpamUzmcDhsNpvdbr9//75IN4rJq0ZWVpbX6+UfMz8/b7FYoryReIREQJs+BYVZJEEQycnJSUlJ1GEgECgvLw8Gg8zxSqWSIAghM8dtt6C/ZKnBv2NL9ZjFxcW+vr729vaMjIw9e/a0tLR0d3eHGyyRSPLz8yO70ffv351O59GjRyMslIF+FYsGnSWaUBGLSYRNbnZ2tqysrK2tLYJrN9tuASCe1ugx1Nvz5ubmtLS0jIyMFy9eIIQCgcClS5cUCkVWVtaDBw9WV1cRQsPDw0eOHFEoFFqt9uTJk1++fKFmYA/mnHN1dfXu3bvp6elyufz06dNzc3N0DU+fPs3JyVGpVOfPn19YWAg3LUJILpcvLy/L5XJqzMrKilQqDRdNq9V+/PiR+vrdu3drrhRzjNVqPX78eGJiIk9wdiJ2cOYzLoVC8fjx4/T09NTU1AsXLiwvLyOEFhYWsrOzCYLYtm3by5cvw5VKZ9FqtR8+fBAYih4QkwhRpgh3LeduWVxcvHLlSlpa2u7dux8+fEj961Mjnzx5kpOTI5fLz5w5Mzc3d+vWrbS0NJVKdfHixcXFxXUVyZSVlXXv3j3+9eRcWyTCbolyqQGIp7XfxxAEMTEx4XA4Ojs7S0pKEEJms3lpaclut/f09NhstufPnyOEKioq9Hq92+3u7+8vKSmRyWTU5ZyD2XO2trb29vb29vY6nc5du3aNj4/Td8dxfGBgYGhoyOPx3Llzh2faEI8ePaqtrUUIpbGEjNTr9aWlpXTLCTE8PFxaWqrX6+kzzEcf4YJzJmIHZ67z0NDQyMjIyMjI6Ohoa2srQmjHjh0TExMYhvn9fp1Ot2apAkOFJIpVhChTcF7Lecf6+nqPxzM6OtrT02O1Wp89e0aPxHG8v78fx3GPx7N3716v12u32wcHB10uV1NT07qKjEx8dkuUSw1A/JC8XC4XQsjn8zFPqtVqgiCor3EcLyoq8vl8EonE7/ezZ2AP5pxTo9GMjo5y3v3Xr1/U4cDAQG5ubrhpQ641mUxlZWXBYJAkyRmWkMEEQVgsFqVSWV1d7XQ66fNOp7O6ulqpVFosFvp2BEFgGEbVzxOcnYgd3OVyYRhGf8vtdlPnu7q6Dh48GDKGv1Q2zpHsRLGKEGWKcNey7xgMBjEMm5qaog6tVmtxcTE9cn5+njrf39+fkJCwtLREHQ4MDOTl5QkvMqRgzpMhh3HbLVEuNQDxtHaPCflJ8/l8CCH1/5RKpUajIUny7NmzhYWFDQ0NbW1tfX19PIPZc87Pz0skEqof8Nzd5XKlpKTw1EDr7u7Ozc31er3rWgufz1dVVSWRSOgzEomkqqqKftmidHV1HTt2jD7kDM6ZiB2c2WNkMhl9fnx8nE7E+WLHLlVgKM5EMYkQZYpw17Iv9Hg8UqmUPnQ6nTt37mSPpHdLyKHAIiPoMXHbLcJT0IRvGABia92f+fv9/oSEhJGRERzHcRy32+04jiOE3rx509HRUVBQsLKy0tDQcOPGDZ7BnLZv3x5lDZTPnz8bDIauri6VSkWdWfNZGUJocnLy+vXrNpvNbDbTJ81ms81mu3bt2uTkJH0y5G+EOIOvN9G6cJYqcCRnovhH4Kztb7c5dwvaiksN/ib8LYjzdyIMw9jPtZhwHM/MzAw3mHNOjUaD4zj/3Zm/mYarwefz5eXlvX79mnlyzWdlBoMBw7CGhgb2Wx+v12s0GjEMMxgMJEkGg0G1Wk0/qOEJzk7E/z4GMR59dHd3h3v0wVOqwFAhiWIVIcoU4a5l35HnWZnA9zFCiozgfQwZr90iPAW5ng0DgBgi6TEGg6G4uNjhcHg8ntbWVrPZPD4+Xl5e/v79e6/X63a76+rqKioqwg3mnNNisRQVFdnt9pmZGep3Lvbdma8a7GlJkgwGg2VlZfX19X4GIaug0+lcLhf/Ouh0OpIkbTbbvn376PM8wdmJ1uwxp06dmpmZcTgchYWFJpOJGkMQhEQioZ+kr1mqwFB0olhFiDJFuGs5d0tdXV1lZaXb7XY4HAcOHGhvb2eP5O8xaxbpdruZD6PYYUmS/PbtG/MW7LUVabdEudQAxFMkPcbv9xuNxszMzOTk5BMnTkxNTa2srJhMpvz8fKlUqtFodDrd7OxsuMGccwaDwdu3b6vVaplMVlVVRf3OxfOqwZ6W/P8Hj4nzJSAajY2NTU1N9CFPcHYi/h6DYVhLS4tGo0lJSamtraU/rCZJ0mQyJScnd3Z2xjZLbCNEmSLctZy7hSCIy5cvq9XqzMxMk8lEfZIhvMcIKdLv98tkspAPyUNu8fbt24KCAp61FWm3CE/BUxsA8bFGjwEh8vPzBwcHYz4t5yvpXyeaFHFbAeE3qq+vZ35cH8Lv92dnZ3d0dPDMINJuIbfKhgH/AonYn/dsMV+/ft3oEkCctLW18fyJSlJS0qtXrw4fPswzA+wWALbU/yUDQAwlJiYeOnSIZwB/gwEAIOgxAAAAxLONJMmNrgEAAMDWBO9jAAAAiAV6DAAAALFAjwEAACAW6DEAAADEAj0GAACAWKDHAAAAEAv0GAAAAGKBHgMAAEAs0GMAAACIBXoMAAAAsfwH7ftQCOB/CgUAAAAASUVORK5CYII=)

Screenshot: risquesnaturels.re  vulnerability

Mirror: Click here to view the mirror

Coordinated Disclosure Timeline

Vulnerability Reported: 11 June, 2020 15:31 GMT
Vulnerability Verified: 11 June, 2020 15:44 GMT
Website Operator Notified: 11 June, 2020 15:44 GMT
a. Using the ISO 29147 guidelines
β€” β€”
b. Using publicly available security contacts
c. Using Open Bug Bounty notification framework
d. Using security contacts provided by the researcher
Public Report Published
[without any technical details]: 11 June, 2020 15:44 GMT