Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:
      a. verified the vulnerability and confirmed its existence;
      b. notified the website operator about its existence.
Affected Website: |
cvg.ethz.ch |
Open Bug Bounty Program: |
Create your bounty program now. It’s open and free. |
Vulnerable Application: |
Custom Code |
Vulnerability Type: |
XSS (Cross Site Scripting) / CWE-79 |
CVSSv3 Score: |
6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] |
Disclosure Standard: |
Coordinated Disclosure based on ISO 29147 guidelines |
Discovered and Reported by: |
xav0 |
Remediation Guide: |
OWASP XSS Prevention Cheat Sheet |
Export Vulnerability Data: |
Bugzilla Vulnerability Data |
JIRA Vulnerability Data [ Configuration ] |
|
Mantis Vulnerability Data |
|
Splunk Vulnerability Data |
|
XML Vulnerability Data [ XSD ] |
|
Vulnerable URL:
![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAPiUlEQVR4nO2df0wb5R/Hb6ywjh7bKG3HgI0fEkYWgs1EZIqGMDInEqzIGM46OrdMtggSnGhxiYgZWxA2f0xiDFs2t0RjkDRkMUrmr0qIY4gdq6zWjpRSSlXoQDtWWPG+f1x2Oe9Xrz+OMb6f11997p4fn/fnnrvPPc/TPl2GYRgCAAAAAAIQdrcNAAAAAJYsEGMAAAAAoYAYAwAAAAgFxBgAAABAKCDGAAAAAEIBMQYAAAAQikURY5KTk69cucKWXMIsfqWL38J7HfAwsLS5+zHm6tWr//777/3338+YXMIsfqWL38J7HfAwsOTxEWNGRkaioqIYT01PTx89epQtyZ+urq7i4mK2pKCQbeZQGgB8agut0oD9z1F8Ia8FTjBXIbCyN27c2LNnj1wuj4+Pf+21127fvr0AjRKExMM8bfDZQ4h6RkZGoqOjg7TKL0IlAViMYJxYrVYURfmc4sjJTXZ2dnd3N1tSUMg2B2y/z5rZCK3SIO1nLL6Q14LDDEHLFhcX79q1y263m0ym3Nzc119/fQEaJQiVhz0ej888Pk0lMlit1jVr1gRvlV+ERAKwCLnLc2Xj4+NmszkvL48xuYRZ/EoXv4XBc+vWrYGBgY8//jg+Pn7jxo3Hjx/v6OjwqwaRSJSWlhZY6yH08IoVK4KvhNASjKiACYkEYBHCK8a89957ycnJMTExzz///PT0NIIg09PTSUlJbrd72bJlZ8+eJSePHz8eFRX1zjvvrF27Njo6uqKi4tatW2w1d3V1bdu2LTw8nJ6cn5/XarVr166VSCQ7duyYnJzcuXPnkSNHiLJbtmw5e/YsgiDj4+NPPvlkVFRUcnJya2sr4zB/dnZ27969UVFRiYmJb7755vz8PEUCm1KcZf+FUjndVO7afCpFEOTmzZsvvviiXC5fv379W2+9NT8/j9yZUmhtbU1OTo6Ojn7uuecYLwejXr+KUyy8fPnyo48+GhUVFR8f/8wzz1y7do2tCTzzli1bVq5cKZfLd+zYMTY2RjR99OhRuVy+bt26U6dOBeY3oiq2DsZYlq3IypUrR0dHJRIJns1iscTFxSEIMjY29vjjj0skkvvuu+/EiRMcE0fx8fE///wzkfz666/ZctIz+PQwo4voniRPNLEppV9iuqmElvj4+EuXLgWgiFHFQkpgK8vY/XzeYhKJZOfOnZOTk6+++qpcLo+JidmzZ8/Nmze5HQJQ4R7mWK1WBEE0Go3D4bBYLPn5+ZWVlfgpk8mEoqjH4/F6veTk8PAwgiClpaU2m81isWRkZDQ0NLDVX1hYeP78ecZkU1NTVlbW4OCg3W6vrq7W6/UdHR1ZWVn4WYfDIRaLp6amMAwrKSlRqVROp9NisWRmZjIO8+vr68vLy4eHh4eGhvLy8k6ePEmRwKEUwzDPHerq6srLyymV003lrs2nUgzDXnjhhaKiIpvNZjQaN2/e/P777xOXY/fu3Q6Hw2w25+bmHjx4kPFyMOrlX5xioUKhaG9vd7lcw8PDx48fHx4eZmsCw7CPPvro9OnTU1NTTqezpqZGpVKRm3Y6nV999ZXJZArMb0RV9A7GUZatCBmTyRQXF9fX14dhmEqlIjKTe5SMBqWS2NjY/Pz8/v5+eg/s6+vLz8+PjY1l7AOMHuZwEdmTlClfNqWUS8xhasCKGFUspATuvkHpfhy3mFqtttvt+D0ik8nwToUPOqurq7k9BlDgFWP+/vtvPNnb25uSkkKcYlyPwYvYbDb8eGdnJxEYbDZbUlISUcTtdqMo6nK5GJMKhWJgYIBszMzMzKpVq/Ca29raiouLMQzzer1isZi4Jzs7OxljjEwmc7vd+GeDwZCdnY3R1mPYlBIYjcYNGzZMTExQjtNN5a7Np1Kv14uiKCGqq6srJyeHXm1PTw/b5WDTy7M42UKXyyUSiejT5YxNULBYLPgzCG+akByY38h56B2Mu6+y9Ukcu92ekpLy2WefYXd6FDkz0aPsNCi2ud3upqYmqVRaVlZmNpvxg2azuaysTCqVNjU1ER7j42EOF5E9Se/GjErpl5huKh3+ithULKQE7r5BbpH7FsNfXjEM6+npCQsLm5mZwZO9vb2pqalsvgIY8W/Nn7wYyBFjxGIxcXxoaEihUOCfvV6vw+EgTnV2dubn5zMmp6amRCIR8U5NUF5ejr9uFBQU4O+ADocjIiKC3Bw9xrhcLgRBiHdPqVSKm8Sx5s+47Pnwww/rdDrKQUZTuWvzqZQiymw2E09qPpeDj16O4hjt0pSXlyuVytra2paWlu+//56jCQzDBgYGCgoK4uLi8ON4E/TV2gD8Rhxk7GDc6tj6JE5OTg7er7A7Q2RyZn8XwF0ul0qlEolEeFIkEqlUKuKxhePTwxg/F2G0bsymlHHBnGJqMIoYVSywBJ59AwvoFqMnAT4s6Jr/8uXL161bRyR9fmt5+fLllBrKysp0Ot2NGzf6+vr4f+nT4/GEhYX19/cbDAaDwTA4OGgwGPw1/sMPP0xJSXnqqacYz9JN5YCP0mAIXi/Fwk8//bS9vT0zM3Nubq62traqqoqjCZVK9dhjj+n1eoPB8OWXX3I3FFrhgTE+Pj44OFhVVeUzp5wGPc/169dfeuklvV7f2NiIH2lsbNTr9QcPHrx+/TqRzaeHiVPCuYhuKs9sjIoQdhV3XQJwN+EOQYGNYxDScFWn01HmJXC8Xq9MJiPGqpQkhmEKhcJgMFBKeTweqVT67rvvlpSUEAXFYrHVasWTbHNlKIpSBuwY7e2J4/3Fbrenp6dTpno4TOWojY9SjoE8z8vhUy9HcbqFZAwGQ0JCAlsTf/75J/ml2GAwsI1jGIXzHMcwdjBudRx90uv1ksVS5sp0Oh3/ubLKykoURWtraykTqhMTEzU1NSiK4ktEPD3Mx0UYrRuzKaUUZDM1MEUcKhZSAs++gQV0i9GTAB8CjzFut1skEhFTtESSWHaz2+1Go1GpVJLXV4npWr1en5GRQRynJDEMa2pqys7OxpcK8VcV/PiuXbtWrVr1+eefEzlLS0tVKpXVajUajeQVWvLUcGVlZU5OjtFodDgczc3NjY2NFAncfaukpKSjo4NY+adUTjeVozaeSvft21dcXExfkOR5ORj18ixOsXBoaGj79u3ffvvtxMSEzWbbt29fUVERWxMYhikUira2tqmpKbPZrFKpOGKMX34jHM7WwXzGGLY+idF+nIGv+ROZ+T9W1Go18bpDx2q1qtVqjLeH+bgIY3pAMyql9BBuU/1VxKFiISXw7Bs4/t5i9CTAh8BjDIZhDQ0NkZGRZ86cISdbW1tRFD127JhCoVizZs3u3buJFTNybYcOHaqvryeqoiQxDPN6vXV1dTKZTCwWq1Qq4lVFp9OhKErUiWGY0+ksKipCUTQpKenYsWOMDzWPx1NTU5OQkBAZGVlYWEi8vxASuJVSBn+UzHRTOWrjqdTtdu/fv18mkyUkJDQ0NOAz2vwvB6NensUpFs7NzTU0NKSlpUVERCgUCrVa7XQ6OVyq1+uzsrLEYnFsbGxtbS1HjOHvN/qIk97BfI7SGPsk3Q8Yhtnt9m3btkVGRqakpLS0tIT8scLTw3xchPFzDg7lhg0tbCoWUgLPvoETwC0GMSYAfMSYAGC8nHTS0tJ++ukntmTAmEwmynLuYiNUSoVjkVvIs4MFWYRcNuSPFeE8HIzSRUKQF+tel7/0EAm62MPBb7/9xpEMGIPBkJKSEpKqBCJUSoVj8Vt4rwMeBv5/CM33yq5cuXLgwAGODLdv33722Wf/+OMPnhX6teH522+/ferUqb/++uvSpUv19fWVlZU8CwIAAACCEpoYo9FokpKSODKEh4dHREQcOnSIT23+bniel5fX1taWkJCgVqurq6srKip4FgQAAAAEZRlGW9DmyfT0dFtbm1arnZycVCgUMzMzxK52s7OzGo3mwoUL//zzD5H/l19+KSwsHB8f91nzkSNHnE7nBx98EJhhOCMjIxkZGWQDOCQE0xAAAADARuDjmKmpqaamJgRB3G53ZGQkOcBs377d6/VS8kulUrfbzafmkPypRmJi4sTEBHceQgIAAAAgBKH/nb/T6SwoKGhpaQms+GLb8BwAAAAIGF7/g8m9z/YXX3xBLpKYmPjGG2/4ZYRfG54zbgjPsVt4MFuFAwAAAMHgexzjdrv7+vr6+/v7+/sHBgaam5sRBFm9ejWxz/bTTz8dcPOXL1/eunWrRqMhjpAnyoqKijQajc1m6+npyc3NFYvFCII0NzdfvHjx4sWLZrM5Li5uaGiIsNNkMhmNxjNnzuTm5volQa1WIwii0Wi2bt1K/jsQAAAAICi4fz5j5bHPNuPvnrh/yosFseE5fatwwk7G3cL5SCBa57PbOQAAAMAT3+MYsVi8fv16/HN6errNZgtJbNu0adPc3Nzw8LBWqyX+iLC7uzs7Oxv/28Ho6OjS0tKcnJxXXnmltbX1hx9+QBBkenra5XJlZmbSK0RRlO3/CnlKkEgkWq3WYrHMzc1t2rQpeI0AAAD/5yzo3v5kgtnwHLYKBwAAuCfwHWM8Hs/o6Cj+2Ww2b9iwISQNa7Vas9msUCiUSiW+R8D8/PyFCxco31p+4IEHKioqtFrt6dOndTrd6tWrpVIp/y0A/JJw4MABpVIZGxtrNpvhRzMAAADBw2scU1tbOzY29uuvvzY0NBQVFeEHZTKZx+P5/fffw8LC6L+GoeP1ekWi/2yPFhMTc+LECaPRiP9upre3NzY2Njk5GT977dq1J5544rvvvpucnBwdHT158qRSqUQQpKamZv/+/VevXh0bG6uqqvrxxx+Dl4An3W630WhsbW2NiYnhUycAAADAje8Yg6JoVlbW5s2bc3NzMzMz6+rq8OMSieTw4cNKpbK7uxtBEOJJzYbBYGAcQCQmJp47dw6hTZSlpqbm5ORUVlbGxcVlZWV5PJ729nYEQerq6vLy8vLz81NTU+12O5+FE58S8O8unzt3LjEx0WdtAAAAAE987CXDZ0cWBEFefvllo9H4zTffsGWYnZ1NT08/fPjw3r172fJs3Ljxk08+eeihh3wa7Rc8JQAAAAAhJzR7+7e0tHD/Y/yKFSvOnz//yCOPcOSBDc8BAACWGKH5Xll4ePiDDz7InYc7wAAAAABLj7v23WUAAABgyRP43v4AAAAAwA2MYwAAAAChgBgDAAAACAXEGAAAAEAoIMYAAAAAQgExBgAAABAKiDEAAACAUECMAQAAAIQCYgwAAAAgFBBjAAAAAKGAGAMAAAAIBcQYAAAAQCggxgAAAABCATEGAAAAEAqIMQAAAIBQQIwBAAAAhOJ/y0eX+WxiBoUAAAAASUVORK5CYII=)
Screenshot: ![cvg.ethz.ch vulnerability](/twimages/screen-1193581.jpg)
Mirror: Click here to view the mirror
Coordinated Disclosure Timeline
Vulnerability Reported: |
12 June, 2020 09:27 GMT |
Vulnerability Verified: |
12 June, 2020 09:39 GMT |
Website Operator Notified: |
12 June, 2020 09:39 GMT |
a. Using the ISO 29147 guidelines |
![](/images/done.png) |
— |
— |
b. Using publicly available security contacts |
![](/images/done.png) |
c. Using Open Bug Bounty notification framework |
![](/images/done.png) |
d. Using security contacts provided by the researcher |
![](/images/done.png) |
Public Report Published |
|
[without any technical details]: |
12 June, 2020 09:39 GMT |