trackman.es Cross Site Scripting vulnerability OBB-1192945

2020-06-11T15:33:00

Description

Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[trackman.es](<http://www.trackman.es>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[XSS (Cross Site Scripting)](<https://www.owasp.org/index.php/Cross-site_Scripting_\(XSS\)>)** / CWE-79 CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **kun-fly ** Remediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAQIElEQVR4nO2cf0xT1xfAH6WUWtoCpVR+1FjYRLMZxghjuAEx0zjDGlIdomNM0BFkhhFCYENiHMMMCYJRNA1/sAUNY2QxhBHD2NaRpSOEISOl67pKkNSuFsbKz1TWYfF9/7jf7/2+vL53W/q14pfdz1/cd+8595xz73un77z3CCBJksBgMBgMxg9wNtoADAaDwWxacI7BYDAYjL/AOQaDwWAw/gLnGAwGg8H4C5xjMBgMBuMvcI7BYDAYjL94KnJMXFzc+Pg4WxPjV3C0NyXj4+PvvffeRluB+TcPHz586623/vjjj402ZAPY+Bzzyy+/PHr06IUXXmBsYvwKjvZmpbCwUKFQbLQVmH8TFBTE4/EqKys32pANwEOOuXfvnkgkYuxaWlq6cOECW9N7ent7s7Oz2ZpPAJ8tdwcRrqcTGO2FhYUTJ05ERkbGxsZ++OGHDx8+XJce6Pi9e/fCw8P9YqsnCgoKXqLw6quv+qDkMa6gb6Hw2QDqNp6bm9Pr9eXl5e4Kr169+swzzwQHB7/44otff/01beqA/xAYGBgXF3f+/Pm1tTVaF+TKlSugKzAw8Mcff6Spgr7TZLdt23bmzBm4wdz9pcXt6tWrcXFxISEhL7/88vfff89orbtaj54iJkV75B6HgIAAkUj022+/wcGff/75zp0719bWqBOVl5drNBriHwiJxGw2C4VCb7oQI9GkpqZ+++23bM0ngM+W+1XVkwFGOzs7Oy8vz2q1mkym9PT06urqdemBjpvN5rCwML/Y6omUlBRE00se72bwIRQ+G0AVZPu7paVFoVBoNJrZ2dnOzk6JRKLVamkanE6n0+lcWVnR6XSpqal1dXW0LojL5QJdBEHEx8c7HA5G32lqDQbDK6+8cvbsWTZ/qbItLS3x8fEDAwN2u/3mzZtSqXRwcNAbtd54yjYp2iMwo8lkCgsLg6EoLy8/fvw4HJyYmNje3o5YiH8UG5xjbDZbWFjY6uoqY/PJ8I/NMTDaKysrcrkcnlEjIyPPPvvsulRZrdbk5GTwR2pq6uO31QtwjmG8nMGlIUkyJiZmYGAAily+fFmpVCKmHhwcfO6559BWmc1mgUCQnJxcUlJCPUjLMVSRoaGhXbt2sfVSZWkGt7a2QoPRatfrKc1gtEfuTZvNJhQKzWYzSZJ9fX3x8fEgAVOD//91cXiMePU85sqVK3FxcREREe+8887S0hJBEEtLSwqFwuFwBAQEXL9+ndq8dOmSSCS6ePHi1q1bw8PDCwoK/vrrLzbNvb29Bw4cCAoKojUPHTp08eJFcHB8fDw4OBjMSxDEqVOnduzYgeitqqpCi1dVVUEDaI6Ae9sLFy5ERkZGR0d/+umnBEHcvn17z549W7ZsiYyMPHLkyP3794Hs2tramTNntm7dGhIScuTIkbm5Oaprv/76a0REBLjjBmqbm5vBXf/Ro0fn5uaqqqoiIyMjIiJOnDjx4MEDIMU4F1U8PDz87bffhu5Q+fvvv999912RSLR9+/aPPvoIVDmAzoyMDJFIFBsb++abb8KbehjtLVu2/P777yEhIeD45ORkTEwMQtCd2NjYn3/+Gfzx008/gYPffPMN23gIHOM+19GjRz/55BM4cs+ePdevXycIYnp6+o033hCJRHFxcc3NzR7rUQ8ePDh16lRkZOS2bds+/vhjWPzxJqRs4mxb4v79+6+//rpIJNq5c2dnZyfaMDYlVBjX1H2X0rYxVQNcmqWlJZvNlp6eDrsyMzONRiPCQj6f73K50F4QBMHhcG7cuNHe3v7dd995HEwQBI/HW11d9TjM3eCTJ09eu3bNo1ofPKWxXo+io6MLCwsbGxsJgmhoaKiurg4MDCQowXfHm7Njc+A5xzgcDp1ONzQ0NDIyYrPZqqurCYIIDQ01mUzgXjU/P5/aPHTokMPhGBkZGR0dHR0dHRsbA6FnhO1hjFKphLXLW7duPXr0qL+/HzQ1Go1KpUL0ZmVlocWzsrLgjDRHgL8mk8lgMLS3t4NtOjY2VlxcPDMzYzAY5HJ5aWkpkG1sbNRoNBqNZmJiIiYmhrqJl5aWDh8+3NDQkJGRQQ3j4OCgTqez2Wy7du2y2+16vX54eNhsNtfU1IBhbHM5HA69Xg9WwWKxwPFU6urqVlZW9Hp9f3+/VqttbW0Fx5VKZWFhocViGRwcTE9P5/P5jMEH3Llzp7KysqmpCSEY6Qbj4hYWFu7bt4/tHLt9+/a+ffsKCwvZjMzNze3p6QG909PTOp1OpVIRBFFaWsrj8SYnJzUazY0bNxiVUykrK7PZbGNjY/39/b29vWq12vuQsomzLVNpaalYLDYajX19fdQcwxgxNiVU2NaUtkvdt7E7DoeDz+fD33MEQYjF4uXlZba4/fnnn2fPngUx98jzzz9fW1t78uRJtlQNWVhYOHfuXFFRkUed7gYHBQVt377do9r1esqI9x4BqqurOzs7v/rqK7PZDHc1AvTZsalA3+aA0uTy8jJoDg0NxcfHwy7GWhkQsVgs4Hh3dzesWlgsFoVCAUUcDodQKJyfn3dv2mw2gUDgdDpJkkxNTa2oqMjLywPKxWKxxWJB9K6urqLFabU4WpGBIAhokjuTk5NRUVHgb5lMNjY2xqgqKyvr9OnTtDAuLi6C5uDgIIfDWVlZgVFlrE3BuWirMDg4CFeBilQqhfUuUEwnSXJ+fp7L5YJQUKEFH2C1WuPj47u6uhCCYBgN9zFgivr6eolEkpubOzExAY9PTEzk5uZKJJL6+npgMONcKysrYK1JklSr1dnZ2SRJulwuPp8/NTUFxnR3d8OSBWOtzOVyCYVCOL63tzctLQ0RUtquZhOnApcJ2Ebd+dA2jxGjrjXVAMY1ZdylHkv/7genpqZo9R+CIKRSqVQqlUgkfD6/pKQELAq1C1BaWkpT63K50tLSwGMJ98cbUC2Hwzl48CDCKihL7aqsrAQaqNcfNrXeeIqulaE9cm8CSkpK+Hy+Wq0mmaBNynZ2bD7W9zwGUWal5hg+nw+PG41GmUwG/na5XDabDXZ1d3e/9tprbM2kpKSBgYGZmRm5XL64uCiTyVwuV1tb2+HDhz32ejOA0UfGk3NsbGz//v0xMTFgN4MILC4ucrlcUHWlqaqpqeFwOJ999pk3YaQ1GedCiwPm5+epVwGJRALDfuzYsaSkpIqKiqamph9++IEx2oC0tLSWlhbYZBRcL/Pz8yqVisvlwiNcLlelUsGMi5jr2LFjwJ79+/d3dHSQJGmz2Xg8HpQyGo3oHEMbPzExwXgpZ7yuIcQZl8lms9F2Pvp5jMe1ZltTjymEcYDVaqWaR5Lk5OSkVCqlahAIBCAF2mw26t6mdgFghqPONTExIRAIenp63B9vQEGtVpucnHz58mU2U6Es1eDFxUWr1To8POyNWm889SbHsHlEspyDer2ez+cz/ixjnJRkOjs2H0/0+5jAwMDo6GjYRL+1nJWVpdFobt26pVQqQ0NDk5KStFotrHShe70Z4D0qlSozM1Or1ep0ur6+PppHtMErKyvd3d1dXV3V1dVe3mV7ORcap9PJ4XBGR0d1Op1Op9Pr9TqdDnR98cUXbW1tiYmJq6urFRUV77//PsFUKJuentbr9aAXIUh4XSsjCOLu3bulpaVarbaurg4erKur02q1p0+fvnv3LnouUC5bWFgYGRl5wm+0o1nvMjFGzKMSxJr6AKikUd/uXV5eFovF1DEcDic2NjY2NjY6Opq2t2EXgPEx2I4dO+rr64uLi+12O5tsRkZGS0sLrFiCegN8dkgQhMPhEAgENINDQ0NjY2N5PB7oQqv16CliUi89YkQsFnO53ODgYI8jAYxnxyYEnYJ8u48hKLWynp4exjd8XC6XVCqFVQhakyTJoaGh1NTU7Ozsvr4+kiTVanVZWVlUVBS4E0L3ejOA0Uf33xqzs7PUXxk6nQ5GQCaT6XQ6mioul2s0GkmSVCqV7vUE9zBSm2xzeXMfQ5KkUCik1e7c0el0crncPdokSbpcLtoRd0Hwt5e1spKSEqFQWFFRYbfbaV12u728vFwoFFJf3XGfy+l0SiSSy5cvw7tPUI8CL/CQ/1utzJv7GEZxtmWi1cp6enoQtTIv15pxTX27jyHd3rZqaWlBv23lW9fevXvT0tIQ75UNDw9Ti70ymQy+kUySpFqthlWvmJgY6g10U1MToiBGVYv2FD2pR49IlnMQ/eYYrRdxdmwyfM8xDoeDy+XCSiJsghyTk5NjtVoNBkNSUlJtbS3UAG8ktVrt7t274XFaEyCTyWQyGRCxWq1isTgpKcnLXo8DoCVURxh3iUwmU6vVi4uLExMTKpUKRqC+vj41NVWv11utVvB7hCpuMpn4fL5er0eHkdZknAshTr0xLykpSUtLMxgMNputsbERfNlgNBoPHjwIvjCwWCxFRUVKpZIx2jRtjILuIgjy8/NhMmDEbDbn5+ej58rLyxOLxV9++SWUysnJUalUZrPZYDAkJiaicwxJkkVFRdnZ2RaLxWAwJCcng+IbW0iXl5e5XK7JZIKVIkZxti2hUqmoOx9dK2NUQjOAcU0Zdyl1G1ssFlqxCAC/GrHb7V1dXR6/GqF1sX0f4/7wQygUMn4f43Q6jUZjZmYm9WnltWvXEhIStFot+AhGIpHAqz/8PmZ2drajo0MikQwNDXmjFu0pelKPHpE+5ZjJyUmqiMezY9Pge44hSbK2tlYgEICvjWCzublZKBQ2NDTIZLKwsLDjx4/Dh9u0h3g1NTVQFa0JyMvLy8nJgc2UlBTqGHQvegDNL+gI4y7RarUpKSl8Pj8qKqqiogJGwOVyffDBB1KplM/nq1Qqu91OEy8rK8vMzPQYRmqTcS4vf3SDb8HkcrlAIMjKygK/vldXV2traxMSEng8nkwmy8/Pn5mZYYw2zSpGQdI/IObq6ekRCoVwC5EkOTMzo1QqhUKhQqFoaGig5hgq1B9DxcXFUqlULpfX1tYyXhmpvldXV1N3NaM425awWq0HDhwQCoUJCQlNTU3oHMOmhGoA45qyXcvgNnY6nXw+n/FJMrhq83i8pKQkcItPDQIix7iXQMDDD0ap1tZW2jN/iEwmKy4uhm9bAC5duqRQKHg83u7du7u7u2kGg67k5GTqrYlHtQhP0ZN69Ij0KcfcvHkzMTGRrXcT4yHH+AA60JCEhITh4WG2JsavbJpom0wm+GoDhkpZWZn7Ox2YjcLpdCoUira2to02ZAPg+ukxj0fu3LmDaGL8yqaJtk6ni4+P32grnkaampr+lxcEMI+X4ODgjo4O3/6H3v87G5ZjMBjfOH/+fExMTHZ29tTUVE1Nzblz5zbaoqeRoKCgl156aaOtwPyXf2aCIZ6G/+2PwayLvXv3qtVquVyen59fVlZWUFCw0RZhMBhWAkiS3GgbMBgMBrM5wfcxGAwGg/EXOMdgMBgMxl/gHIPBYDAYf4FzDAaDwWD8Bc4xGAwGg/EXOMdgMBgMxl/gHIPBYDAYf4FzDAaDwWD8Bc4xGAwGg/EXOMdgMBgMxl/8CwSSFC/9avyZAAAAAElFTkSuQmCC) --- Research's Comment: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAJoUlEQVR4nO3cbUhT3x8A8JsNm3POpzkf01mhERJSIlqrLIRERITURq2MEgsRsyGhVrasNFe9aMUYQqESBUEmvggLsRgmobZsDBtDfFi2BqlsOteS2f29OP8uY/dh82HZ7/f/fl65c8+953u+93C/7lxrA47jGAAAAOADfusdAAAAgP8sqDEAAAB8BWoMAAAAX4EaAwAAwFegxgAAAPAVqDEAAAB8BWoMAAAAX4EaAwAAwFc815j5+fnz588nJCQEBAQkJyc3NzcvLS35KJrJycmgoKDV91nbEf+ey3o5yspGv3DhQkBAQFtb2woiefXqVXBw8MzMDNGyd+/eS5cuYfTr58+sq+WuKKvV2tTUtOZhAPB/y3ONOX36tNFofP36tdFoVCqV3d3dGo3mD0T2ZyQkJExPT693FOtvZmZGoVC8f/9eIpGs4PTDhw+LRKKGhgb08cWLFxMTE3V1dRj9+vl71pXrGrBYLI2NjesSBgD/TTgju93OYrEsFgtzt7UyMTHB5XJX32fd/Zkg6UZZweirD1iv13M4nLGxMafTmZSU1NraitOvnz+2rpY7r3/F6gLgX8TD95hfv35hGMZisciHfv78eebMmaCgoISEhKtXrxIbHYODg5mZmQEBAREREUVFRV+/fsV+b0c0NTVFRERER0c/fPgQw7ClpaXa2trIyMjAwMCioiJip+XevXuJiYnh4eEnTpywWq2UgTU3N0dGRoaGhpaUlPz48QM1LiwsnD17NiIiYvPmzdeuXVtaWhofHw8MDPz48SOGYTMzM6GhoW/evHG9jtteyuDg4L59+4KCgmJjY48cOfL582fi0NGjR2/evEl8zMzMbGtrczt9cnIyNDSUHC3qdvfu3cTExNDQ0OPHjxPzokwjZbooE0uXCi9vFjIzMyMUCm0224YNG9ra2shppAvJVXJycllZWU1NTUtLC4/HKykpwejXD8O68hg25T1F4d2+fZs5FQxTwzDMarW65oE5NgCANzzUmMDAwNzcXLFY/O7du4WFBddDDQ0Ndrtdq9V2d3er1WqVSoXaNRpNWVmZ2WzW6XRxcXEVFRWo3Waz6fV6nU7X2toqEokwDJPL5T09PT09PQaDISYmZmRkBHUbHh7u7+8fGBgwmUw1NTXkqGw229BvGo1GLpej9srKSpPJpNFouru7u7q6lEplYmJiXV1dVVUVhmH19fW5ubkHDx5kmG9eXt6pU6eMRmNfX59IJGKz2cSh4uLizs5O9PO3b9+Gh4cLCgqYs+cWs1arRfMyGo1oH4khjeR0USaWLhVu6EZBwsPD9Xo9l8t1OBwSiYScRrqQ3NTX1/f29tbV1SkUCtRCt34Y1pXHsOnuqc1mGxgYYE4F3dSQ4OBg1zzQRQUAWAaP33Tm5uZqamqSkpJYLNa2bdtkMpnT6cRxnM/n22w21Gd4eDg9PZ187ujoaFRUFI7jExMTGIbNzs66HhUIBBqNxrUFdZubm0Mf+/v7t2zZ4nZN1MdoNKKPHR0daWlpOI47nU4ulzs2Nobau7q6MjIycBxfXFzcvn27TCbj8/lms5l8NWJvZHZ2lsViORwOyjzY7XYej4fGVSqV+fn5OGlrZWJiIiQkhLLddV59fX3EvCjTSJkuVyixdKkgb/h4vFnEKXRp9BgSIhaL4+PjXVvo1g9duzdhk++pN6lgmBrRB/bKAFhbnmsMweFw9Pf3Z2RkXL58eXZ2FsMw/m9hYWECgQB102g02dnZMTExqJ3ymYvjuMViYbFYbo8Vuke2Wx82m018HBkZQUObTCZ/f3+i3WAwoPKG43hPTw+GYQqFgjwptxHFYnFqaqpUKr1z587bt2/dOovFYnSR7Ozsx48fMwRMbqfsRpdGyicdObF0qXA7neFmkSOkS6M3D1+tVhsSEpKSkqJSqchHXdePN+3MYbvdU29S4c3UoMYAsLY8bIi72rRpU2ZmpkKhkEgk5eXlfn5+Q0NDxJa6n9//tt0KCgpKS0tVKhWbzZ6amsrJyWG45saNG70PYMXMZrOfn5/ZbPbY8+nTpx8+fNDpdCaTSSqV7tmz5/79+8TR4uLiBw8eSCSSgYGBjo6O1QfmcDjo0ki2rMSueJTVqKyslEql+/fvLywsLC4udns15bp+rl+/7rGdOWzv7ykAYB15fta4bZc7HA6n0xkdHc3hcGZnZ2N/i46OxjDs+/fvJpPpypUrW7dujY2NdX2f4SY4ODgsLOzTp08rCNrhcHz58gX9bDAY4uPjMQwTCAT+/v7j4+OoXa/XC4VCDMOsVmt1dfWTJ09UKpXrO3w6u3fvLikpqa2tffToEfECBsnNzR0eHm5vb8/OzkZvicPCwux2+/z8POowNTW1rInQpZGMLrGUqVjxKBh9Gj16/vz52NhYdXX1gQMHRCJRfX09aqdcPwzt3oRNeU89pmLFUwMArBzz1xy9Xi8QCFpaWkwmk8ViUavVKSkpjY2NOI6fO3cuIyMD/covl8sbGhrQKQKBQKlUWiwWg8FQUFBAt1eG43hjY2N6erpWq52amqqoqFCr1V7ulWEYVlhYODU1pdPpUlNTZTIZOlRaWpqfn280GnU63a5du9BGSnl5eXFxMY7jN27cyMrKIl+NGHFkZCQnJ6e3t3d6etpoNJaWlubl5bn1P3bsGI/He/bsGdGSnp5eWlpqNpsNBoNIJEIBz83NsVgsvV6PNgMZ5kWZRsp0kRNLlwq30RluFmUeKNPIvIlkt9uFQiHaP8Rx3GAwcDgcrVZLt34Y1pUrurDJ99TLVHicms1mY7FYBoOBbqYAgGXx/D7m5cuXWVlZPB6Pw+Hs3LmzpaUFtTscjqqqqri4OA6Hk5ubS7xKVavVaWlpbDY7KipKKpUy1Bin03nx4kU+n89mswsKCqanp72sMVwuVy6XCwSCkJCQkydP2u12dMhms5WVlfH5/Li4OPQOeWhoiMvlolfBDodDKBS2t7eTr4Z+XlxclMlkSUlJ/v7+AoFAIpGQ/0ags7OTy+USI+I4Pjo6eujQIS6Xu2PHDoVCQQRcU1PD4XDQPxNhmBdlGinTRU4sQypcR2e4WZR5IKeRLiRCQ0OD298RVFVVoac/3fqha3dFGTblPUXh3bp1izkV3kxNJpO5pg4AsBobcBxfz69RAKyFycnJlJQUYtMSAPCXgP8TEwAAgK9AjQEAAOArUGMAAAD4CryPAQAA4CvwPQYAAICvQI0BAADgK1BjAAAA+ArUGAAAAL4CNQYAAICvQI0BAADgK1BjAAAA+ArUGAAAAL4CNQYAAICvQI0BAADgK/8ABqKMvXb4DhIAAAAASUVORK5CYII=) --- **Screenshot:** ![trackman.es vulnerability](/twimages/screen-1192945.jpg) **Mirror:** [Click here to view the mirror](<http://1192945.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 11 June, 2020 15:33 GMT ---|--- Vulnerability Verified:| 11 June, 2020 15:42 GMT Website Operator Notified:| 11 June, 2020 15:42 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 11 June, 2020 15:42 GMT

{"id": "OBB:1192945", "type": "openbugbounty", "bulletinFamily": "bugbounty", "title": "trackman.es Cross Site Scripting vulnerability OBB-1192945 ", "description": " \n\n\nFollowing coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: \n\n&nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; \n&nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence.\n\nAffected Website:| **[trackman.es](<http://www.trackman.es>) ** \n---|--- \nOpen Bug Bounty Program:| **Create your bounty program now**. It's open and free. \nVulnerable Application:| Custom Code \nVulnerability Type:| **[XSS (Cross Site Scripting)](<https://www.owasp.org/index.php/Cross-site_Scripting_\\(XSS\\)>)** / CWE-79 \nCVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] \nDisclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines \nDiscovered and Reported by:| **kun-fly ** \nRemediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md>)** \nExport Vulnerability Data:| Bugzilla Vulnerability Data \nJIRA Vulnerability Data [ Configuration ] \nMantis Vulnerability Data \nSplunk Vulnerability Data \nXML Vulnerability Data [ XSD ] \n \nVulnerable URL:\n\n![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAQIElEQVR4nO2cf0xT1xfAH6WUWtoCpVR+1FjYRLMZxghjuAEx0zjDGlIdomNM0BFkhhFCYENiHMMMCYJRNA1/sAUNY2QxhBHD2NaRpSOEISOl67pKkNSuFsbKz1TWYfF9/7jf7/2+vL53W/q14pfdz1/cd+8595xz73un77z3CCBJksBgMBgMxg9wNtoADAaDwWxacI7BYDAYjL/AOQaDwWAw/gLnGAwGg8H4C5xjMBgMBuMvcI7BYDAYjL94KnJMXFzc+Pg4WxPjV3C0NyXj4+PvvffeRluB+TcPHz586623/vjjj402ZAPY+Bzzyy+/PHr06IUXXmBsYvwKjvZmpbCwUKFQbLQVmH8TFBTE4/EqKys32pANwEOOuXfvnkgkYuxaWlq6cOECW9N7ent7s7Oz2ZpPAJ8tdwcRrqcTGO2FhYUTJ05ERkbGxsZ++OGHDx8+XJce6Pi9e/fCw8P9YqsnCgoKXqLw6quv+qDkMa6gb6Hw2QDqNp6bm9Pr9eXl5e4Kr169+swzzwQHB7/44otff/01beqA/xAYGBgXF3f+/Pm1tTVaF+TKlSugKzAw8Mcff6Spgr7TZLdt23bmzBm4wdz9pcXt6tWrcXFxISEhL7/88vfff89orbtaj54iJkV75B6HgIAAkUj022+/wcGff/75zp0719bWqBOVl5drNBriHwiJxGw2C4VCb7oQI9GkpqZ+++23bM0ngM+W+1XVkwFGOzs7Oy8vz2q1mkym9PT06urqdemBjpvN5rCwML/Y6omUlBRE00se72bwIRQ+G0AVZPu7paVFoVBoNJrZ2dnOzk6JRKLVamkanE6n0+lcWVnR6XSpqal1dXW0LojL5QJdBEHEx8c7HA5G32lqDQbDK6+8cvbsWTZ/qbItLS3x8fEDAwN2u/3mzZtSqXRwcNAbtd54yjYp2iMwo8lkCgsLg6EoLy8/fvw4HJyYmNje3o5YiH8UG5xjbDZbWFjY6uoqY/PJ8I/NMTDaKysrcrkcnlEjIyPPPvvsulRZrdbk5GTwR2pq6uO31QtwjmG8nMGlIUkyJiZmYGAAily+fFmpVCKmHhwcfO6559BWmc1mgUCQnJxcUlJCPUjLMVSRoaGhXbt2sfVSZWkGt7a2QoPRatfrKc1gtEfuTZvNJhQKzWYzSZJ9fX3x8fEgAVOD//91cXiMePU85sqVK3FxcREREe+8887S0hJBEEtLSwqFwuFwBAQEXL9+ndq8dOmSSCS6ePHi1q1bw8PDCwoK/vrrLzbNvb29Bw4cCAoKojUPHTp08eJFcHB8fDw4OBjMSxDEqVOnduzYgeitqqpCi1dVVUEDaI6Ae9sLFy5ERkZGR0d/+umnBEHcvn17z549W7ZsiYyMPHLkyP3794Hs2tramTNntm7dGhIScuTIkbm5Oaprv/76a0REBLjjBmqbm5vBXf/Ro0fn5uaqqqoiIyMjIiJOnDjx4MEDIMU4F1U8PDz87bffhu5Q+fvvv999912RSLR9+/aPPvoIVDmAzoyMDJFIFBsb++abb8KbehjtLVu2/P777yEhIeD45ORkTEwMQtCd2NjYn3/+Gfzx008/gYPffPMN23gIHOM+19GjRz/55BM4cs+ePdevXycIYnp6+o033hCJRHFxcc3NzR7rUQ8ePDh16lRkZOS2bds+/vhjWPzxJqRs4mxb4v79+6+//rpIJNq5c2dnZyfaMDYlVBjX1H2X0rYxVQNcmqWlJZvNlp6eDrsyMzONRiPCQj6f73K50F4QBMHhcG7cuNHe3v7dd995HEwQBI/HW11d9TjM3eCTJ09eu3bNo1ofPKWxXo+io6MLCwsbGxsJgmhoaKiurg4MDCQowXfHm7Njc+A5xzgcDp1ONzQ0NDIyYrPZqqurCYIIDQ01mUzgXjU/P5/aPHTokMPhGBkZGR0dHR0dHRsbA6FnhO1hjFKphLXLW7duPXr0qL+/HzQ1Go1KpUL0ZmVlocWzsrLgjDRHgL8mk8lgMLS3t4NtOjY2VlxcPDMzYzAY5HJ5aWkpkG1sbNRoNBqNZmJiIiYmhrqJl5aWDh8+3NDQkJGRQQ3j4OCgTqez2Wy7du2y2+16vX54eNhsNtfU1IBhbHM5HA69Xg9WwWKxwPFU6urqVlZW9Hp9f3+/VqttbW0Fx5VKZWFhocViGRwcTE9P5/P5jMEH3Llzp7KysqmpCSEY6Qbj4hYWFu7bt4/tHLt9+/a+ffsKCwvZjMzNze3p6QG909PTOp1OpVIRBFFaWsrj8SYnJzUazY0bNxiVUykrK7PZbGNjY/39/b29vWq12vuQsomzLVNpaalYLDYajX19fdQcwxgxNiVU2NaUtkvdt7E7DoeDz+fD33MEQYjF4uXlZba4/fnnn2fPngUx98jzzz9fW1t78uRJtlQNWVhYOHfuXFFRkUed7gYHBQVt377do9r1esqI9x4BqqurOzs7v/rqK7PZDHc1AvTZsalA3+aA0uTy8jJoDg0NxcfHwy7GWhkQsVgs4Hh3dzesWlgsFoVCAUUcDodQKJyfn3dv2mw2gUDgdDpJkkxNTa2oqMjLywPKxWKxxWJB9K6urqLFabU4WpGBIAhokjuTk5NRUVHgb5lMNjY2xqgqKyvr9OnTtDAuLi6C5uDgIIfDWVlZgVFlrE3BuWirMDg4CFeBilQqhfUuUEwnSXJ+fp7L5YJQUKEFH2C1WuPj47u6uhCCYBgN9zFgivr6eolEkpubOzExAY9PTEzk5uZKJJL6+npgMONcKysrYK1JklSr1dnZ2SRJulwuPp8/NTUFxnR3d8OSBWOtzOVyCYVCOL63tzctLQ0RUtquZhOnApcJ2Ebd+dA2jxGjrjXVAMY1ZdylHkv/7genpqZo9R+CIKRSqVQqlUgkfD6/pKQELAq1C1BaWkpT63K50tLSwGMJ98cbUC2Hwzl48CDCKihL7aqsrAQaqNcfNrXeeIqulaE9cm8CSkpK+Hy+Wq0mmaBNynZ2bD7W9zwGUWal5hg+nw+PG41GmUwG/na5XDabDXZ1d3e/9tprbM2kpKSBgYGZmRm5XL64uCiTyVwuV1tb2+HDhz32ejOA0UfGk3NsbGz//v0xMTFgN4MILC4ucrlcUHWlqaqpqeFwOJ999pk3YaQ1GedCiwPm5+epVwGJRALDfuzYsaSkpIqKiqamph9++IEx2oC0tLSWlhbYZBRcL/Pz8yqVisvlwiNcLlelUsGMi5jr2LFjwJ79+/d3dHSQJGmz2Xg8HpQyGo3oHEMbPzExwXgpZ7yuIcQZl8lms9F2Pvp5jMe1ZltTjymEcYDVaqWaR5Lk5OSkVCqlahAIBCAF2mw26t6mdgFghqPONTExIRAIenp63B9vQEGtVpucnHz58mU2U6Es1eDFxUWr1To8POyNWm889SbHsHlEspyDer2ez+cz/ixjnJRkOjs2H0/0+5jAwMDo6GjYRL+1nJWVpdFobt26pVQqQ0NDk5KStFotrHShe70Z4D0qlSozM1Or1ep0ur6+PppHtMErKyvd3d1dXV3V1dVe3mV7ORcap9PJ4XBGR0d1Op1Op9Pr9TqdDnR98cUXbW1tiYmJq6urFRUV77//PsFUKJuentbr9aAXIUh4XSsjCOLu3bulpaVarbaurg4erKur02q1p0+fvnv3LnouUC5bWFgYGRl5wm+0o1nvMjFGzKMSxJr6AKikUd/uXV5eFovF1DEcDic2NjY2NjY6Opq2t2EXgPEx2I4dO+rr64uLi+12O5tsRkZGS0sLrFiCegN8dkgQhMPhEAgENINDQ0NjY2N5PB7oQqv16CliUi89YkQsFnO53ODgYI8jAYxnxyYEnYJ8u48hKLWynp4exjd8XC6XVCqFVQhakyTJoaGh1NTU7Ozsvr4+kiTVanVZWVlUVBS4E0L3ejOA0Uf33xqzs7PUXxk6nQ5GQCaT6XQ6mioul2s0GkmSVCqV7vUE9zBSm2xzeXMfQ5KkUCik1e7c0el0crncPdokSbpcLtoRd0Hwt5e1spKSEqFQWFFRYbfbaV12u728vFwoFFJf3XGfy+l0SiSSy5cvw7tPUI8CL/CQ/1utzJv7GEZxtmWi1cp6enoQtTIv15pxTX27jyHd3rZqaWlBv23lW9fevXvT0tIQ75UNDw9Ti70ymQy+kUySpFqthlWvmJgY6g10U1MToiBGVYv2FD2pR49IlnMQ/eYYrRdxdmwyfM8xDoeDy+XCSiJsghyTk5NjtVoNBkNSUlJtbS3UAG8ktVrt7t274XFaEyCTyWQyGRCxWq1isTgpKcnLXo8DoCVURxh3iUwmU6vVi4uLExMTKpUKRqC+vj41NVWv11utVvB7hCpuMpn4fL5er0eHkdZknAshTr0xLykpSUtLMxgMNputsbERfNlgNBoPHjwIvjCwWCxFRUVKpZIx2jRtjILuIgjy8/NhMmDEbDbn5+ej58rLyxOLxV9++SWUysnJUalUZrPZYDAkJiaicwxJkkVFRdnZ2RaLxWAwJCcng+IbW0iXl5e5XK7JZIKVIkZxti2hUqmoOx9dK2NUQjOAcU0Zdyl1G1ssFlqxCAC/GrHb7V1dXR6/GqF1sX0f4/7wQygUMn4f43Q6jUZjZmYm9WnltWvXEhIStFot+AhGIpHAqz/8PmZ2drajo0MikQwNDXmjFu0pelKPHpE+5ZjJyUmqiMezY9Pge44hSbK2tlYgEICvjWCzublZKBQ2NDTIZLKwsLDjx4/Dh9u0h3g1NTVQFa0JyMvLy8nJgc2UlBTqGHQvegDNL+gI4y7RarUpKSl8Pj8qKqqiogJGwOVyffDBB1KplM/nq1Qqu91OEy8rK8vMzPQYRmqTcS4vf3SDb8HkcrlAIMjKygK/vldXV2traxMSEng8nkwmy8/Pn5mZYYw2zSpGQdI/IObq6ekRCoVwC5EkOTMzo1QqhUKhQqFoaGig5hgq1B9DxcXFUqlULpfX1tYyXhmpvldXV1N3NaM425awWq0HDhwQCoUJCQlNTU3oHMOmhGoA45qyXcvgNnY6nXw+n/FJMrhq83i8pKQkcItPDQIix7iXQMDDD0ap1tZW2jN/iEwmKy4uhm9bAC5duqRQKHg83u7du7u7u2kGg67k5GTqrYlHtQhP0ZN69Ij0KcfcvHkzMTGRrXcT4yHH+AA60JCEhITh4WG2JsavbJpom0wm+GoDhkpZWZn7Ox2YjcLpdCoUira2to02ZAPg+ukxj0fu3LmDaGL8yqaJtk6ni4+P32grnkaampr+lxcEMI+X4ODgjo4O3/6H3v87G5ZjMBjfOH/+fExMTHZ29tTUVE1Nzblz5zbaoqeRoKCgl156aaOtwPyXf2aCIZ6G/+2PwayLvXv3qtVquVyen59fVlZWUFCw0RZhMBhWAkiS3GgbMBgMBrM5wfcxGAwGg/EXOMdgMBgMxl/gHIPBYDAYf4FzDAaDwWD8Bc4xGAwGg/EXOMdgMBgMxl/gHIPBYDAYf4FzDAaDwWD8Bc4xGAwGg/EXOMdgMBgMxl/8CwSSFC/9avyZAAAAAElFTkSuQmCC) \n--- \n \nResearch's Comment:\n\n![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAJoUlEQVR4nO3cbUhT3x8A8JsNm3POpzkf01mhERJSIlqrLIRERITURq2MEgsRsyGhVrasNFe9aMUYQqESBUEmvggLsRgmobZsDBtDfFi2BqlsOteS2f29OP8uY/dh82HZ7/f/fl65c8+953u+93C/7lxrA47jGAAAAOADfusdAAAAgP8sqDEAAAB8BWoMAAAAX4EaAwAAwFegxgAAAPAVqDEAAAB8BWoMAAAAX4EaAwAAwFc815j5+fnz588nJCQEBAQkJyc3NzcvLS35KJrJycmgoKDV91nbEf+ey3o5yspGv3DhQkBAQFtb2woiefXqVXBw8MzMDNGyd+/eS5cuYfTr58+sq+WuKKvV2tTUtOZhAPB/y3ONOX36tNFofP36tdFoVCqV3d3dGo3mD0T2ZyQkJExPT693FOtvZmZGoVC8f/9eIpGs4PTDhw+LRKKGhgb08cWLFxMTE3V1dRj9+vl71pXrGrBYLI2NjesSBgD/TTgju93OYrEsFgtzt7UyMTHB5XJX32fd/Zkg6UZZweirD1iv13M4nLGxMafTmZSU1NraitOvnz+2rpY7r3/F6gLgX8TD95hfv35hGMZisciHfv78eebMmaCgoISEhKtXrxIbHYODg5mZmQEBAREREUVFRV+/fsV+b0c0NTVFRERER0c/fPgQw7ClpaXa2trIyMjAwMCioiJip+XevXuJiYnh4eEnTpywWq2UgTU3N0dGRoaGhpaUlPz48QM1LiwsnD17NiIiYvPmzdeuXVtaWhofHw8MDPz48SOGYTMzM6GhoW/evHG9jtteyuDg4L59+4KCgmJjY48cOfL582fi0NGjR2/evEl8zMzMbGtrczt9cnIyNDSUHC3qdvfu3cTExNDQ0OPHjxPzokwjZbooE0uXCi9vFjIzMyMUCm0224YNG9ra2shppAvJVXJycllZWU1NTUtLC4/HKykpwejXD8O68hg25T1F4d2+fZs5FQxTwzDMarW65oE5NgCANzzUmMDAwNzcXLFY/O7du4WFBddDDQ0Ndrtdq9V2d3er1WqVSoXaNRpNWVmZ2WzW6XRxcXEVFRWo3Waz6fV6nU7X2toqEokwDJPL5T09PT09PQaDISYmZmRkBHUbHh7u7+8fGBgwmUw1NTXkqGw229BvGo1GLpej9srKSpPJpNFouru7u7q6lEplYmJiXV1dVVUVhmH19fW5ubkHDx5kmG9eXt6pU6eMRmNfX59IJGKz2cSh4uLizs5O9PO3b9+Gh4cLCgqYs+cWs1arRfMyGo1oH4khjeR0USaWLhVu6EZBwsPD9Xo9l8t1OBwSiYScRrqQ3NTX1/f29tbV1SkUCtRCt34Y1pXHsOnuqc1mGxgYYE4F3dSQ4OBg1zzQRQUAWAaP33Tm5uZqamqSkpJYLNa2bdtkMpnT6cRxnM/n22w21Gd4eDg9PZ187ujoaFRUFI7jExMTGIbNzs66HhUIBBqNxrUFdZubm0Mf+/v7t2zZ4nZN1MdoNKKPHR0daWlpOI47nU4ulzs2Nobau7q6MjIycBxfXFzcvn27TCbj8/lms5l8NWJvZHZ2lsViORwOyjzY7XYej4fGVSqV+fn5OGlrZWJiIiQkhLLddV59fX3EvCjTSJkuVyixdKkgb/h4vFnEKXRp9BgSIhaL4+PjXVvo1g9duzdhk++pN6lgmBrRB/bKAFhbnmsMweFw9Pf3Z2RkXL58eXZ2FsMw/m9hYWECgQB102g02dnZMTExqJ3ymYvjuMViYbFYbo8Vuke2Wx82m018HBkZQUObTCZ/f3+i3WAwoPKG43hPTw+GYQqFgjwptxHFYnFqaqpUKr1z587bt2/dOovFYnSR7Ozsx48fMwRMbqfsRpdGyicdObF0qXA7neFmkSOkS6M3D1+tVhsSEpKSkqJSqchHXdePN+3MYbvdU29S4c3UoMYAsLY8bIi72rRpU2ZmpkKhkEgk5eXlfn5+Q0NDxJa6n9//tt0KCgpKS0tVKhWbzZ6amsrJyWG45saNG70PYMXMZrOfn5/ZbPbY8+nTpx8+fNDpdCaTSSqV7tmz5/79+8TR4uLiBw8eSCSSgYGBjo6O1QfmcDjo0ki2rMSueJTVqKyslEql+/fvLywsLC4udns15bp+rl+/7rGdOWzv7ykAYB15fta4bZc7HA6n0xkdHc3hcGZnZ2N/i46OxjDs+/fvJpPpypUrW7dujY2NdX2f4SY4ODgsLOzTp08rCNrhcHz58gX9bDAY4uPjMQwTCAT+/v7j4+OoXa/XC4VCDMOsVmt1dfWTJ09UKpXrO3w6u3fvLikpqa2tffToEfECBsnNzR0eHm5vb8/OzkZvicPCwux2+/z8POowNTW1rInQpZGMLrGUqVjxKBh9Gj16/vz52NhYdXX1gQMHRCJRfX09aqdcPwzt3oRNeU89pmLFUwMArBzz1xy9Xi8QCFpaWkwmk8ViUavVKSkpjY2NOI6fO3cuIyMD/covl8sbGhrQKQKBQKlUWiwWg8FQUFBAt1eG43hjY2N6erpWq52amqqoqFCr1V7ulWEYVlhYODU1pdPpUlNTZTIZOlRaWpqfn280GnU63a5du9BGSnl5eXFxMY7jN27cyMrKIl+NGHFkZCQnJ6e3t3d6etpoNJaWlubl5bn1P3bsGI/He/bsGdGSnp5eWlpqNpsNBoNIJEIBz83NsVgsvV6PNgMZ5kWZRsp0kRNLlwq30RluFmUeKNPIvIlkt9uFQiHaP8Rx3GAwcDgcrVZLt34Y1pUrurDJ99TLVHicms1mY7FYBoOBbqYAgGXx/D7m5cuXWVlZPB6Pw+Hs3LmzpaUFtTscjqqqqri4OA6Hk5ubS7xKVavVaWlpbDY7KipKKpUy1Bin03nx4kU+n89mswsKCqanp72sMVwuVy6XCwSCkJCQkydP2u12dMhms5WVlfH5/Li4OPQOeWhoiMvlolfBDodDKBS2t7eTr4Z+XlxclMlkSUlJ/v7+AoFAIpGQ/0ags7OTy+USI+I4Pjo6eujQIS6Xu2PHDoVCQQRcU1PD4XDQPxNhmBdlGinTRU4sQypcR2e4WZR5IKeRLiRCQ0OD298RVFVVoac/3fqha3dFGTblPUXh3bp1izkV3kxNJpO5pg4AsBobcBxfz69RAKyFycnJlJQUYtMSAPCXgP8TEwAAgK9AjQEAAOArUGMAAAD4CryPAQAA4CvwPQYAAICvQI0BAADgK1BjAAAA+ArUGAAAAL4CNQYAAICvQI0BAADgK1BjAAAA+ArUGAAAAL4CNQYAAICvQI0BAADgK/8ABqKMvXb4DhIAAAAASUVORK5CYII=) \n--- \n \n**Screenshot:** ![trackman.es vulnerability](/twimages/screen-1192945.jpg)\n\n**Mirror:** [Click here to view the mirror](<http://1192945.openbounty.org/mirror/>)\n\n### Coordinated Disclosure Timeline\n\nVulnerability Reported:| 11 June, 2020 15:33 GMT \n---|--- \nVulnerability Verified:| 11 June, 2020 15:42 GMT \nWebsite Operator Notified:| 11 June, 2020 15:42 GMT \na. Using the ISO 29147 guidelines| ![](/images/done.png) \n---|--- \nb. Using publicly available security contacts| ![](/images/done.png) \nc. Using Open Bug Bounty notification framework| ![](/images/done.png) \nd. Using security contacts provided by the researcher| ![](/images/done.png) \nPublic Report Published \n[without any technical details]:| 11 June, 2020 15:42 GMT\n", "published": "2020-06-11T15:33:00", "modified": "2020-09-09T15:33:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.openbugbounty.org/reports/1192945/", "reporter": "kun-fly", "references": [], "cvelist": [], "lastseen": "2020-09-12T07:45:42", "viewCount": 4, "enchantments": {"dependencies": {}, "score": {"value": 0.7, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.7}, "openbugbounty": {"patchStatus": "unpatched", "mirror": "http://1192945.openbounty.org/mirror/"}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645576719, "score": 1659818015, "epss": 1678895942}, "_internal": {"score_hash": "c35e210bafbd86cc4f3488c9f05ab7db"}}