Lucene search

K
openbugbountyBadmaxxOBB:1193252
HistoryJun 11, 2020 - 11:01 p.m.

tncarbide.com Cross Site Scripting vulnerability OBB-1193252

2020-06-1123:01:00
badmaxx
www.openbugbounty.org
7

Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:

&nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence;
&nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence.

Affected Website: tncarbide.com
Open Bug Bounty Program: Create your bounty program now. It’s open and free.
Vulnerable Application: Custom Code
Vulnerability Type: XSS (Cross Site Scripting) / CWE-79
CVSSv3 Score: 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N]
Disclosure Standard: Coordinated Disclosure based on ISO 29147 guidelines
Discovered and Reported by: badmaxx
Remediation Guide: OWASP XSS Prevention Cheat Sheet
Export Vulnerability Data: Bugzilla Vulnerability Data
JIRA Vulnerability Data [ Configuration ]
Mantis Vulnerability Data
Splunk Vulnerability Data
XML Vulnerability Data [ XSD ]

Vulnerable URL:

![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAABLCAIAAAAphcDFAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAZ6ElEQVR4nO2df1AU5/3HVzyO8zh+eB4X5Ej4YYIZa+mVWIqpcZzESR3KMJeWGEuoEusY4hCljFpwUktxStSgNcRhmIzNGIcYm8kw1HGoTanTuVBKUZmT3tDLFS2Sy2kBAcmFXvBwv3884zNPd599dm+55cfXz+uv291nn+fzfJ5nn8/ts7vvZxHP8xwAAAAAaEDUXBsAAAAA/L8FYgwAAACgFRBjAAAAAK2AGAMAAABoBcQYAAAAQCsgxgAAAABaMS9iTEZGxrVr16Q2gTnn4WmR6enpI0eO/Otf/5prQyLGw9N2yrl27dprr70m2AmO0oi5jzH/+Mc/7t+//61vfYu6Ccw5D1WLLF68+P79+3v37p1rQyLDQ9V2yiktLU1PTyf3gKO0QybG3Lx5My4ujnro7t27b775ptSmcs6fP19YWCi1OQuotjwspDzJ2L906VKtrVLC7LcIo9eNjY298sorSUlJNpvt5z//+b1791Rnjj0sKG7//v0+n+/vf/+7OiMZxsvy5Zdf7tmzJy0tbcmSJStXrjxy5Mj09DT7lHfeeScjIyM2Nva73/3un//8Z8FRsu3eeeedFStWxMTEfPvb3/7DH/6gxJ6Z1EWQz6IHREdHf/Ob3/zd736nLh919pDX+J07d3p7eysqKsgECh1FVmTx4sUZGRmHDh1CbUQewrz99tvo0OLFiz/99FNBVvgCF5z76KOPVldXq+jb8xSeycDAgMlkUnKIkZJNbm7uJ598IrU5C6i2PFKlBINBavrExESNjVLEvGqRwsLC4uJin8/n8XjWrVtXVVWlOnPsYXUdQOqsmXSnoqIih8Ph8XiGhoba29s3bNjQ3d3NSN/Q0JCZmXnp0qWRkZGPP/7YYrF0dHSQCXDbNTQ0pKent7e3Dw0NnT171mw2O51OWXsidWmgfILBYDAYHBoaOnfunMViuXDhgrp8VBvAyESho8iKTE5Oulyu3Nzc2tpawSFMKBRChziOy8zMDAQCZFb4Ahdk63a7n3766TfeeENFTechcxxj/H5/YmLi1NQUdXN2mPMYI5V+PsSYedUik5OTqamp+ELt7u5+/PHHw83c5/Pl5OSgH7m5ueSeiBipujtNTk7qdLrx8XHlp6SkpFy6dAlvNjU1FRQU4E2y7QQpT5w4QaaUIrIxhtzT1NSUn58/83xUnCjORLmjxOd2dHSsWrWKbdvAwIDRaMzJySkrKyN3CmIMeUpnZ+eTTz4ZfkXnI4qex7z99tsZGRnLli37yU9+cvfuXY7j7t69m56eHggEFi1a9P7775Obx48fj4uLe+uttx555JGlS5du27btv//9r1TO58+ff/7556OjowWbL7zwwltvvYV2Xrt2LSYmBpXLcdyrr776xBNPMI7u27ePffq+ffuwAYKKoJvxY8eOZWRkLF269OWXX8YnTk9PV1dXP/LII7GxsS+++OKdO3fQ/suXL69du3bJkiVJSUkvvvjiF198wT24qX/zzTeTkpKWL1/+29/+FiU+cuSIwC3k7f8XX3zx/e9/Py4ubuXKlWfPnsVGfv311z/96U/j4uLS0tJ++ctfUudPqOZ99dVXr776alJS0qOPPvqrX/0K39TjOsbGxr700kt37tzZt29fUlLSsmXLXnnlla+++oraQJcvX37mmWfi4uJsNtuPfvSjf/7znwzblLtFyrHiXrdkyZLPP/88NjYWJejv709JScF+i42NXbFixW9+8xv2HKPNZrt69Sr6gSbE8B4Gf/zjH6n7xQ0qgOoHaub379/nOE6n04kTvPTSS7/+9a/x5tq1a9FF5/f7161bh/dv37795MmTeBO3nTjl+vXr+/r60G9Gn2dA7VpKKovIzc11u92M/JVkRe174j4muMbF+Sh0FBWDwRAKhRgJEFFRUWfOnDl9+vSf/vQn2cQcx+n1+qmpKSUp5z/yMSYQCLhcrs7Ozu7ubr/fX1VVxXFcQkKCx+NB93clJSXk5gsvvBAIBLq7u69cuXLlypWenp6jR49KZS71MKagoKC9vR3tvHDhwv379y9evIg229vbHQ4H42h+fj779Pz8fFyioCKovr29vai+g4ODBw4cQCmPHj3a3t7e3t7u9XpTUlJwz+vp6dm5c+ft27fdbndqamp5eTn2m8fjcbvdp0+fRr02EAhceQDVLeXl5fHx8X19fW1tbWSMqa2tnZyc7O3tvXjxotPpbGpqEnuSat7u3bv9fn9PT8/FixfPnz/f2NhItmlHR4fL5fL7/U8++eTIyEhvb29XV9fAwACusqCBCgoKSktLBwcHOzo61q1bZzAYGLYpdwvVcmqvI/nss8/27t1bX1+P/ebxeD755JPTp0/jNEkixH5TSGlp6XPPPScIRbINyvAD4vLly88991xpaSnHcbGxsfn5+Vu2bPnrX/9KhnmO4zZv3tza2op+37p1y+VyORyOQCBgMBjw/zOO46Kjo9PS0vAmbjtxyvj4+ImJCbIi1D7PgNq12JUlMZvN2ABqMynJSqrvCfqY+BoXoNxRAoaHh9944w2HwyHrLo7jvvGNb9TU1Gzfvl02hI+NjR08eHDHjh1Ksl0AsG9z0EzixMQE2uzs7MzMzMSHqHNl6JTBwUG0v6WlZc2aNej34OBgeno6PiUQCJhMptHRUfGm3+83Go3oQUVubm5lZWVxcTHKPD4+fnBwkHF0amqKfbpg5kdwH03Wt6OjA9fXarX29PSw3dXf35+cnIzzwVVjuAWXHgqFDAYDmQDfSlssFjxBhKaAxUWLzQuFQiaT6caNG2jz/PnzeXl52BI8J9PR0REVFTU5OYk2Ozs78QQU2SKjo6M6nU786EiJbQy3UC1n9DqEz+fLzMw8d+4c228+EWLbFBIIBOrq6sxm8+bNm71eL6+gQRl+4Hne6/Vu3rzZbDbX1dVhB05MTFRVVWVlZel0uscff7ympgZN6E9OTqJuz/N8Y2NjYWGhoKC9e/daLBaLxYIdRbad2KQbN26QEzVSfV6qLlJdS6qy4nzImSLZZiL7D5kPte9R+xhjrky5o3DmyNVms9lgMJSVlaGLgjyEKC8vF5QYCoXy8vK2bt0q8IAg26ioqE2bNondvkAJ73kMYw6RjDEGgwHv7+vrs1qt6HcoFPL7/fhQS0vLs88+K7Vpt9svXbp0+/bt1NTU8fFxq9UaCoVOnTr1wx/+UPaokgTUOkrVd3x8XKfToQteQE9Pz8aNG1NSUlD/kHqMLOUWnNLv9wsSoKxGR0fJvms2m7E/MVTz/H6/Xq/Hm16vl3qhCh78kJuCFtmyZYvdbq+srKyvr//LX/7Ctk2hW6iWsy3keT4vL6+hoQFXk+o3LRgdHXU4HDqdjlfQoAiqH3ie1+l0DodD6ulLMBjs7OzMy8vDD363bNmCqrxx48bm5mae530+HzZgfHzc5/N1dXVR245Miejv77dYLOi38mscI9W1pCrLjjFUZPuPVN+j2sy4xpU7in/wZAUFQr/fT/Zb8hACxzmyRK/XazQaW1tbBX4mz3U6nTk5OSdOnGD4ZwFBmfzVjsWLFy9fvhxvst9azs/Pb29vv3HjRkFBQUJCgt1udzqdeKaLfVRJAnX2i3c6HI4dO3Y0NTUZDAafz7dp0ybV+VMJBoNRUVFXrlzBM/VRUfQZTqp5M0HQIh9++OHVq1fdbrff76+srHz66acPHDggZVtYbgnL8lu3bvX29v7tb3+TTSmeHBseHlZekIDr168fPHjQ6XTW1tYqP0vKD7W1tfX19bt27aqtrV2xYoXgrJiYmLVr1zY0NJSUlBw6dIjjuM2bN588ebKkpKS7u7ulpYXjODT5c+/evejo6ISEhISEhKGhIaPRiHIg245MifZMTEzEx8erdkW4lRUzOjqKDaA2k2xWyq8LNuE6KioqymazUbNiHMI88cQTdXV1O3fubGtrkzrXZrM1NDRs3759z549Kmo072CHIHX3MRwxh9Da2ornykhCoZDFYsG324JNnuc7Oztzc3MLCwvb2tp4nm9sbNy9e3dycjK6E2IfVZKAWkdGfa1Wq8vlEpw7NDSE/tUiXC4X4z6G6hapubLW1lZctMlkkp2mE5vHmCtTch8jbhESl8uVmpoqZZtyt1AtZ1sYCoVIqxh+i+BcWVlZmclkqqysHBkZwVaxG5ThB8TIyEhFRYXJZMKvG5HvtvI873Q68bRVMBg0m80nTpwgb8RTUlLQDSWivr4ezbGI207wulRDQwN+XUrFfQy1azEqy36vTNxMCvsPte+FdR8TlqMYDgn30IYNG/Ly8hj+6erqEswPL1zUx5hAIKDT6dDcNLmJrr2ioiKfz+d2u+12e01NDc4BT+g7nc7Vq1fj/YJNhNVqtVqt6BSfzxcfH2+32xUelU2ALSErwqhvXV1dbm5ub2+vz+crLy/Hb81brdbGxsbx8XGv1+twONgxRuwWMqXD4SAT4KLLysry8vLQDcTRo0fR+/j8/35YQzVvx44dhYWFg4ODbrc7JycHTbYojDGCFunr69u0aRP6FGNwcHDHjh3o2pOyTaFbqJbLzpUJHgtJ+S2ClJSUDAwMkHukGnRiYkKn03k8HjSRQvWDIJ+SkhKe5z0ej9Vqfffdd/1+//j4OPJ/XV0dTllcXBwfH//RRx/hPfj7mKGhoebmZrPZ3NnZydOuJvzZx8jIyLlz58jPPmRjDPWbD2rXkqosmQ8yQPb7GGpWAt9S+x61j5HX+ODgIJ4QC8tRUpnL+or6mMdkMkn5ua+vb/369bt27WL4ZwGhPsbwPF9TU2M0Gk+fPk1uHjt2zGQyHT582Gq1JiYmbt26FT9PFjylPHDgAM5KsIkoLi4uKirCm2vWrCHTsI+yEwjqhSvCqG8oFNq/f7/FYjEYDA6HA/+fdTqda9asMRgMycnJlZWVjBhjMpmOHj0qcAuZ0ufzPf/88yaTKSsrq76+HhcdDAYrKipSU1ONRmN+fj762yUogmpeIBDYuXOnxWJJTU3FD5AVxhhBi0xNTdXU1GRlZen1eqvVWlJScvv2bSnblLuFarnyJ0ak34xGY2ZmJuk3TZFqUJ7nq6qq8HVB9YMUbW1tGzZsiI+PNxqN2dnZ7777Lnm0tbXVZDLhUhBoTNTr9Tk5OfgPOPVqQgFJr9fb7XZ0c09WhNwUPIsW0NTUxEt0LanKkvnodLpVq1ah9zUYSGVF+lbJdYHB13gwGDQYDCjehOUoRuZSvkLPVKhnNTU1SfnZarXu3LkTv4Wx0JGJMSpgNANJVlZWV1eX1CYw5yzQFpF9mPwwsEDbbtbYvXs3es4PjpoFFvE8P+NnOv/DzZs3V69e/eWXX0Y2WwBQws2bN+12+9jY2FwbAsxf7t2753K5vvOd78y1IQ8Fc6+7PE/IyMi4evXqj3/84//85z8Rzxk0w2cCOHCGgJS9gOjo6PkQYLQbc+YVEGM47oGy91NPPaXX6yOr6w6a4TMEHDhzQMp+HqLdmDPfkI8xYj1tUpVaLC2elpaGJspkBaulNLTZJcoKZYsVthctWhQXF4f0tRAffPDBypUrsbgWfke+oqICi9CwvaFQe598+55qGFlZagKqQ0h7pBTFFaKFRn0EkV1ZQNAf0tLSxsbGUOuEVYXh4eHo6GhBvxIUNGurLfzsZz9bsmQJkv6bYVYLTsqefflz0ssZqB5wZAtVN+YwBhwunDFHQLjeI5Ht5Jog+8SG8Y0uW1qcfCFPLFjN0NBmfxU8ICeUjUr0eDyJiYn4dcCKigok4YDIzs7Gr8PxhLK37AsL5GdASp4tk8L4VMPIEqkJ2FYx3phUiFTmCt/d0BrZlQUY/SGsKjQ0NCQmJpLKuOKCZudtgpGRkaioKJfLFQqFxOI94UJ1wnyWsmdf/owxR/WAI1uoijHn9ddfZww4fDhjjoBwvUci28m1YEYxhi0tLj6RFKxmaGjLtjdbKJu6x+/3m0wm9IlDW1tbZmYmHohJZW/Z9hYrwzOgCuOL38SVldlQ9+WXQuZzjFGysgCjP4RVhby8vObm5uTkZKniZi3GRNbz4tzmuZQ9+4pgjDmqBxzZQlWMOYwBhw9zzBEQrvdIZDu5Fqh/HiMrLS4GC1ar0NAmCVcom+O45cuXl5aWImXcw4cPV1VVYf0SwfoCJGJFd7EyPOMURs6zAFWOXrVGPadAbp3MXLwQAFWgnuO4W7du/eAHP4iLi8vIyDh27Bg5K0I6kComj1DeH6QyuX79us/ne/nll3NyckiRD6nVFqRQt8ICqah/584dwTIZKGexZH1YazSQLFwp+3DHnEgNOFz4NWIMOJz0yCB1ebJR6D2pTq416mOMrLS4AFKwOlwNbTHKhbIxVVVVZ8+e/f3vfz8wMIDU1BGMGX+qorsUpE67bM6zANV41Rr1HFNuXVx38UIAVIF6juPKy8v1en1/f397e/uZM2fIEkkHSq1TgFDYH6QyaW5uLi4u5jiupKSEjCVSqy1IrRoQ7goLYkX9ZcuWkctkCJpJvFqEwjUaqF5dcFL2YY05kR1wuPDHHKkBh5MeGcIacBDKvSfVyTVH9k5H6i5S8NG+QFqcfzCJSRWspoorKFRpxUelhLLFp2DKysoMBkNjYyPeI1hfQFC0WNGdClWnXZCzlGEznyvjJBTFqcZHRKOeJ+TWqXWnLgRAFahHamNYHYBU5icdyBCTZ/QHsRSCVCZZWVlutxsZabVa0SfWKlYNCHeFBbaiPmn/gMRqEbJrNIi7tGl+S9kzrgj2mKN6wGEXqqRG4lMQ4gGHZ445UgMOuSpKuN7DUDv5LKA+xrClxfkHk5hUweqwxMZ5ifbmJYSyxadgent7DQYDOfYJ5OupLUQqulOh6rQLcpYybOYxRkpRnGG8Co16XkJuXUqjXrwQAE8TqBeoxJPK/KQDpcTkeWZ/EFRBKpPu7m5yreWtW7eix7PhrhoQqRUWpGIMVZ2ImgO5KUg2/6XsGVcEe8xRPeCwC1VSI2oT8LQBh1cw5oivWXJVlHC9h5Dq5LOA/FwZWuyLnP4OBAJGo9H0QAeb47iEhASbzabX67G0OAIJViOeeeaZhoYGNFFAnosgNbSlShTbhoWyR0ZGZCvCcVx8fLxOp4uJicF7ZKezrl+/joQaGYrutbW1Tqdz165d169fV55zpCCdbLPZyOcZVOOV1IiKw+FYv3690+l0uVx4Ppdad47jPvzww1OnTmVnZ09NTVVWVr7++uvcg/Ucx8bGuru7ZZ2jwoHh9gdEc3NzX18fnvVqaWlpbm5mn8JYYTPiKyxEFqqUPT4qJWVvs9mWL18uqBqj42GkWkRqZOCYl7/smKNuwGEXqrBGVMQDDifXsamXp2BVFIb3pFDRySOFfIxJSkoym81dXV14j9PpzM7OTkhISElJ6ezsxPsvXbqUnZ3NyAr9y+M4Dp3b0dGBD6H3VdglUvPcs2fPqlWrGKu6Mpienr5w4QKjvV977TW73Z6cnOz1equrq6WSVVdXe71eq9Vqt9vRB9WyOc8CVOOpO4PB4Oeff45+e73exx57TJzb8PCw3+//xS9+sWLFCpvNhhZa5mh1xzz11FPbtm2rrq5+77330JOY/Px8l8t15syZjRs3oqfZVqs1Kirq5s2b6BSPx4N+CBxotVr1ev2///1vnEzwUSGG0R+omUxPT3/00UcocCL6+vquXLly69Ytq9XKcRzpGZyVSwTHcQkJCWazWfDxvHLLZwGBV9mXYaRQcoXikYFjXv7hjjkKBxx2oepqJAV7ZFA44AggvSdVqFQnD7sCKlBys3Py5MmsrCyn04neSTebzeiddClpccQAU7CaraEtVSJPuxkUCGXjZFQddfJcsbJ3f38/eZZY0Z3NwAOddupSBVTDlM+VSX2LIHWIarxqjXpeTqYe152XXgiApwnUFxUVORyOgYEBt9udnZ1NXVmAlxCTpzoQ9wdxFcSZXLx4Eb2MS1JUVHT8+HE+/FUDIrLCQmTnyhailD3j8meMOTMZcNiFqh5zxCeyxxypAScQCOCpLXY1qe3S1tbG6ORao1R3+fjx40hCfPXq1S0tLXg/VVocMSAnWM3Q0GaUSO33pFA2TiYbY8TK3h9//HF2drasN2ShaoZTDVMYY8R/DpDEOvVQWKu0DijTqOfDkamXWgiApwnU3759u6CgwGQypaenHz58mLqyAC8hJk91IE/0B0EVxJls3bp1//79gtPfe+89/BUUdbUFKSKywkJkY0xwYUrZS13+vPSYM8MBh1Go6jFHfKK6MUfQExjVpLZLXl4eo5NrTeS1/RcQAmXvYDCYnp5+6tSpiOcMKASt08WDAyMKSNnPH9SNOYxgP//RiYPew8Nnn31GbsbExDQ3N3/ve9+LeM6AQlwuV2ZmJgcOjCj19fXoiRF4dc5RPeYIvrBZQER+/RgACItDhw6lpKQUFhbeuHGjuLj44MGD27Ztm2ujAGAe8fXXX+t0unn+yqIUEGOAOebTTz+tqKhwu92PPfZYeXn5nj175toiAAAiBsQYAAAAQCtgjTIAAABAKyDGAAAAAFoBMQYAAADQCogxAAAAgFZAjAEAAAC0Qv4bTFJTdnh4mLoHAAAAAMTIxxj0hTB7DwAAAACIge9jAAAAAK2A5zEAAACAVkCMAQAAALQCYgwAAACgFRBjAAAAAK2AGAMAAABoBcQYAAAAQCsgxgAAAABaATEGAAAA0AqIMQAAAIBWQIwBAAAAtAJiDAAAAKAVEGMAAAAArYAYAwAAAGgFxBgAAABAKyDGAAAAAFoBMQYAAADQCogxAAAAgFZAjAEAAAC0AmIMAAAAoBUQYwAAAACtgBgDAAAAaAXEGAAAAEArIMYAAAAAWgExBgAAANAKiDEAAACAVkCMAQAAALQCYgwAAACgFf8Hj6ziWz163D0AAAAASUVORK5CYII=)

Screenshot: tncarbide.com  vulnerability

Mirror: Click here to view the mirror

Coordinated Disclosure Timeline

Vulnerability Reported: 11 June, 2020 23:01 GMT
Vulnerability Verified: 11 June, 2020 23:09 GMT
Website Operator Notified: 11 June, 2020 23:09 GMT
a. Using the ISO 29147 guidelines
β€” β€”
b. Using publicly available security contacts
c. Using Open Bug Bounty notification framework
d. Using security contacts provided by the researcher
Public Report Published
[without any technical details]: 11 June, 2020 23:09 GMT
Additional notification email sent: 6 August, 2020 14:16 GMT