Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:
      a. verified the vulnerability and confirmed its existence;
      b. notified the website operator about its existence.
Affected Website: |
manchesterfoodanddrinkfestival.nutickets.com |
Open Bug Bounty Program: |
Create your bounty program now. It’s open and free. |
Vulnerable Application: |
Custom Code |
Vulnerability Type: |
XSS (Cross Site Scripting) / CWE-79 |
CVSSv3 Score: |
6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] |
Disclosure Standard: |
Coordinated Disclosure based on ISO 29147 guidelines |
Discovered and Reported by: |
xav0 |
Remediation Guide: |
OWASP XSS Prevention Cheat Sheet |
Export Vulnerability Data: |
Bugzilla Vulnerability Data |
JIRA Vulnerability Data [ Configuration ] |
|
Mantis Vulnerability Data |
|
Splunk Vulnerability Data |
|
XML Vulnerability Data [ XSD ] |
|
Vulnerable URL:
![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAABLCAIAAAAphcDFAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAYFUlEQVR4nO2df0wUVx7Ax3XRhR3Uhd0FWazQNEiMoehxFHv0jlDjWUMMtYiU4yq2xh+cUkptK9p41FhsKNieNcY0tEFrWnPxCCH3h2e89mqNZxDpFrfI7SGuK1JqlxXsousKzv3xcpNx5r2Zt7szsNLv56+dN+/H9/t9P747b2a+M43jOAYAAAAANEA32QIAAAAAUxbwMQAAAIBWgI8BAAAAtAJ8DAAAAKAV4GMAAAAArQAfAwAAAGhFRPiY1NTU7777jnQIAECkAZMUoGTyfcylS5cePHjw5JNPYg8BAIg0YJIC9Cj4mGvXrsXGxmJPjYyM7Nu3j3RIT1tb26pVq0iHE4CMjsESshFee+216OjoI0eOhNP6tWvXTCZTODXI1yNTP40N5fOEbAHe5qH1o4q9zzw8ABRrDrbpkEeX6ggn6a1bt9avX2+xWGw221tvvXX//n1Nm6Y0Qsi2Uiyo7oD5RcDJ4nK5WJalOSWTU57s7OxTp06RDieAkCVXqyqPx6PT6ex2+9jYWJitz5kzJ5wa5OuRr9/v9ytWSzJOOBYQVqsoQ1BShYCoNnl5gm1aXVHDQThJV61aVVpa2t/f39PTk5ubu2PHDk2bpjRCyLZSLBg5vfCoMMl7ZT/88IPT6czLy8Me/kLw+XwxMTFPPvnk9OnTJ1uW0Jk5c2bIZdWyQDgyaEGkyaMKwkl69+7dzs7Ojz/+2GazLViwYP/+/SdOnJhsAbVFr9enpaVNthSPElQ+5i9/+Utqamp8fPwf//jHkZERhmFGRkZSUlJ8Pt+0adOOHDkiPNy/f39sbOz777+fkJBgMpnWrVt39+5dUs1tbW3Lly+PiooSHaIL0sbGxtTUVKPRuHbt2qGhoTfeeMNiscTHx69fv350dBQVuXDhwtKlS6Ojoy0Wy5o1a27cuMH8/3oWFTeZTH/4wx+Q2AzDjI+P19TUJCQkGI3GNWvWDA0NkXRE3Lt375VXXomNjZ0/f/6f//zn8fFx1OgzzzwTGxtrs9leeOGFy5cvS22CLYgE27dvn8VimTt37ieffDI0NCQsxTDM6Ojopk2bLBbLvHnz3nnnHVQQm8gwzI0bN37/+9/HxsYuWLDg888/58UO1iykerDpUi2EGwgyrfB8//338fHx33zzDcMwIgtg7UZjczTwUOa1a9e+++67fHNLly5FtsWaBYuMFqLdEn4LUTQAhNlIow5rEOyoE1VOMogQUqPSsUQ/3ZiH52x0dPT169eNRiM61dvbm5SUhJWf1CMy00RqfKkRsEizSVu5evWq0Wj89ttvGYYZGhoymUxfffUVTf02m+3ixYukpgEM8pc5LpeLYZjy8vKBgYHe3t78/PzNmzejUz09PSzL+v1+tL/BH/b19TEMU1RU5Ha7e3t7Fy1aVFtbS6p/5cqVx44dkx6idsvKyvr7+51OZ25urtlsRmKg/1CVlZWoyOHDhz/99NPh4eHBwcGqqqrCwkK++EsvvYTy5+bmVlRUoPx1dXVZWVldXV39/f2VlZVnzpyR0ZHjuJ07d5aUlPT19XV3d+fl5R08eJDjOKvV2tTU5PV6+/r69u/f39fXJ7UJtiAv2ODg4MmTJ3t6eqSWfPnllwsKCtxut8PhWLJkyYEDB0iJHMcVFhYKTc3vZQVrFlI92HSpFsINBFIrfJ7h4eG0tLSPP/6YN7Ki3Whs3tfXx8tw4sSJrKws9HtgYMBgMAwPD2PNQtr6kLGVdJeYN5dQEWE26aiTNwjWCKJxQjIID7ZR7Fiin26cZM4KOzEpKam9vR0rP6lH5KeJ1PgiI5AQZcO2snfv3t/+9rccx1VUVJSWlmILmiXINApgofIxt2/fRofnzp17/PHH+VPY+zGoiNvtRuktLS382HK73SkpKXwRn8/HsqzX65UeokrQKOQ47uzZszqd7s6dO7wYTzzxhFTa3t7exMREqdhnz57lxbZarZ2dnZQ6chxnNpt9Ph/6bbfbs7OzvV6vXq/HbrULbSItyLfFqywtNTY2xrIsv160tbXl5ORgE1Fmg8EgNDX2fomiWUj1kNKlWkh9jLQVPs/KlSv5JYPSbjQ2F1Zy586dWbNmIckPHTq0atUqklnkfQx2CMn4GJEd+N/SUSdvENLg4SuUMQgPtlHsWKKfbqI5y9Pf3//4448fP36cJD+pR2SmCY3xSYiyYVsJBALp6em1tbVms3lwcBBbsF+CYtOACL3ihQ7Lsvwlf1JSktfrVSxiMBjmzZuHfqenp7vdbr74uXPn+GynTp3Kzs7mH1USHbIsO3v2bPQ7OTl51qxZ0dHRfD0ejwf9/vbbb998883u7u5AIPDgwYMHDx5IxU5OTkZij4yMeL3ejIwMSh1v3brl8XhSUlLQ4YMHD/R6vclkKioqysnJyc/PT0pKysrK+t3vfieqEFuQb0vm6a+bN28GAoHU1FTeei6XC5uIMjMMIzQ1X09QZiHVI1O/vBbYVhC7du06efJkU1MTtiDJbjQ2FxIdHb1y5crW1tZt27a1tLSUl5fLmyVYLYKCNOoQUoPIDB4eRYOQGiWNJcrpJpqkPEVFRVVVVWvXriXJj+0R+WmiivFlWomKijp48OCyZcsOHDiQkJCALWuz2UJuF0Ao+xgVmT59+ty5c/lDVZ5aLiws3LBhw+HDhw0GQ39//4oVK2jEoKzc7/frdLqOjg5+6Ot0OoZhvvjii4sXLzocjoGBgerq6qeffvqjjz6iKThhhGCWCeDOnTstLS3Hjx/funXr6tWr+UWNR8ZuijYXUVxcfPDgwbKysvb29paWFpQ4iWbBjjqsQSgHD41BVH+KBDtJf/jhh66urn//+9/okCS/tEcmZprItDI4OKjT6QYHB0llLRaLKOWnn35SXcIpjvxlDuW2AEfeK2ttbeX3yoSMjY2ZzWb+ml10KNOu8PDmzZt6vZ5Pt9vt/GYOqbjVarXb7ZQ6chzHsqx0w0GI3W5PTk6WVoUtiL3SV2uvrLW1NTSzkOohpUu1IO0RCVtxuVx6vb67u5vjuIKCgq1bt2KLKxqcI9hc+txwXFzchx9+uHr1apSCNYvMXhlpVNy+fVun0wl3cmj2ykSjTt4g9INHahAebKOkvTKa6SaapMI6RYlY+aU9QqmpzLJDQpQN28rw8HBiYuLx48fj4uJQL0gLwl5Z+ITuY3w+n16vdzqdokPkY4qKivr7+x0OR2ZmpvCeP7+DfObMmUWLFvHpokPKQc9xnNVqPXTo0PDwsNPpLCwsVPQxdXV12dnZ6Ebo1q1b0T1/mbY2b96ck5OD/i3W19fv2bOnu7t7xYoVX375pcfjcbvdGzZsKCgokNpEWlAqGFbZDRs2rFq1SnR7H5vI/f+ePG/qkM1CqgebHrKP4dN7enoMBkNXV5e0CNZuNDaXSlVaWjpr1qy//vWvfIrULLdv39br9T09PegeLz8+5UdFdnb2hg0bBgcH0R1p7KQQ3fMXjTp5g2CNIKycZBDhHRpsoxxuLFFON9EkFSK6M4SVH9sjNNNEZtkhIcqGbaWioqK4uJjjuL179+bl5QVVP0BP6D6G47ja2tqYmJjm5mbhYWNjI8uy7733ntVqnTNnzksvvcTfPBTWtn379p07d/JViQ7pfcyZM2eysrIMBkNiYmJ1dbXiYjo2Nvbmm2+azWaDwVBYWOjxeOTb8vv9VVVVycnJMTExK1eu7OvrCwQCtbW1aWlpM2bMsFqtZWVl/A1DoU2kBaWCYZX1+XwbN240m83Jycm1tbVo7cMmchzX39+/fPlylmXT0tIaGhpCNgupHmx6+D6G47jKykr0VI/oFNZuNDZHA08oVWtrK8uy/PAjmWXHjh2oy2i0QKDnD1mWXbhw4YEDB7CTQnR5Khp18gbBGkFYOdYgogqxjXK4sUQ53USTlJRfRn5pj9BME/llh4Qwm7SVjo4OlmXRNbrf709JSTl69GhQ9QOUTOM4Tt3Nt2vXri1atOjnn3+Wz7ZgwYKjR48+9dRT2EMAACINmKRACEyajwEAAACmPJo87DQ6Ogpxv6cw33333ZYtW2Qy3L9//8UXX/zxxx9paoMo8VMVrXvWQgD+4EYU6j+7/J///IdhGIj7PYUpLy8vKSmRyRAVFTVjxozt27d/9tln8lVBlPipygT0rN1ux6ZDXOSIQv3rmAsXLvzpT38KsxLKANr0gbjVintPj1oqRAJCIYeGhrq6uqqqqviz9+7de/HFF0XKVlVVnT59WrFmVT7loK6pv/7668WLFxuNxqVLl166dClM2TQlkiPYT0DP2mw2m83GsuzRo0dtAkiVTPwiADCM0vsxIaBWcH6aOO2KD8sLX55QJe59UKiiQiQg88CV3+/Py8srKiqSedJMhogaLYjExMTW1lav11tbW4t9tStyCHnw0E+ckJmwno3wRQBQ+TpGxeD8qsRF5wNxT0pE7ikZ2l3E4ODgsmXLGhoaQigbaaMFMTY2lpWVZTKZsrKyAoGAWtU+WoQ5XyKqZyd3EQCUr2NOnjxJn+Hw4cPotSaO49rb23Nzc1mWTUpKWr16Nf8m7djY2I4dO6xWa0xMTFFREf+GSl1dndlsTkxMbGpqkv5xrq+vF71wMzw8zGvR3NysKGdoGmG10EgFrGykstIWOcJrNChnQ0NDSkpKTExMcXGxx+PZvn272WyOi4srLy9H4QIphaR5xQebIrWtcLREgqkRu3fvzsjIqKioyMjIcDgcwlPFxcV79+7lD3NycvjXL15++WWWZR977LHdu3fzb5wgm8+ZM6e0tJSPOCnz8oe0HqyECJFG2LJ9fX0xMTHoFXePxzNnzpwvv/xSagpFgpoyHMU6QNOt3MOXIGF2a7AaCfOQljKABmUfk5iYmJ+f39HRIT3V3t6en5+PYvoihHG/SbHHSdH15WPFYz8WIAzELSNnOBphtdBIBaxspLLSFjnCJwBcdJHbKYUM2cfIj5ZIMDWivr6eZdmYmJiBgQHRKfoA9byQQX0agPRdAxI030RQJYJ9UFOGo1gHaLqVe9jHhNmt9BpJlVL8jAIgg7KP8fl8dXV1cXFxxcXFfIgFp9NZXFwcFxdXV1fHB80Wxv2WiT1Oiq4vHyse+7EAYTasnGFqRNJCIxWwspHKSlskhTVz0UVupxQyBB+jOFoixNQcxzU1NWVkZAwODubl5a1YsYLjuN7eXqvVis7SB6h3hfRpAGwIehmEVZHKqhLBnn7KcHTrAE23chIfE3K3SiFlkypF8xkFQAbae/5er7ewsJAPKajX6wsLC/llC9HS0pKfn88flpSUZGZmVldXNzQ0/Otf/0KJw8PDer1etAmgGJvEYDDwp7q7u/k5Ly0okjNMjbBaaK2CSDZSWWnBgYGBGTNm8IdOp5P/bAxNpBBKIUPwMTSjhYsAU3OCtW9gYMBsNtfV1Z0/fz4zM1MoJLo6XLZsGfqrjsLO81cAcXFxVqtVxuakU9h6OFn4quTLogf8+Bh3JFMoQjllFNcBym7lHvYx4XQrpUYkpbBLGUAJ1T3/K1euoJh6e/bsQSl79uw5c+ZMRUXFlStX+GyipxW/+OIL9K8wEAhUV1dv27aNP6XRh+ulctLnxGrEkLXQSAWsbI86NKOFiQBT//TTT16vd/HixQzDzJ07t7m5effu3fX19bm5uXyR4uLi1tbWW7dutbe3I/n50PF2u91ut3d1dZHe25AnnHrky9JEsBchzUM/ZSjXgUmfQdhsWKVkljJAGUUvtHnzZpZlq6ur+Zh6CI/HU1VVxbIs+jIxKe43Qhh7XDG6Pif5Z8oQPhYgzEaSM2SNZLTQSAWsbKSy0hZl9soor2NohAztfkxQo4WbJFOjbxkId042btzIMIzwzj9lgHoZm8t8GkBajzzCVkhlVYlgTz9lKNcBmm7lHr6OCblbschkk18HsJ9RAGRQ9jFlZWUul4t01uVylZWVcZK43zLB2BWj63O4VQP7sQBhIG55OUPQSEYLjVTAykYqi52T2E8ABOVjFIV0u93CXQupsoje3l7puwik0RIhpuY4rqKi4umnn3Y4HB6Pp7m5GT3j9Pbbbwvz0ASol7c56dMApJD4JBS/JcGpFMGefspQrgM03crh7vmH1q3BaiRUSmYpA2hQ7R1MUdxvmWDsitH1OdwfZ+zHAjiNA3GTtJhIFUhlsXNS5tllYYUkH0MjpN/vF/3Zxwpz4sSJjIwMkmGlUeIjwdQcx/n9/h07dqSkpBgMhiVLlhw7dgw9/st/fIWjC1Avb3PSpwFIIfFlkP+WxMRHsKdcB2i6lXvYx0TaIgBQopqPSUtLO3/+vFq1CQnt/mREEY4KE6Y+fUOVlZWi2/Ui0HKGXnHAAqNlqqJRz0K3PrqoFhMThcIEfgk0NDTI346eOXPmsWPHfvOb35AywGiZqkDPAiI0ie0/ZVA3iD0zVeLYR0VF/frXv5bPI+NggKCACPbAI436sf2nEioGsWcgjj0QEhDBHni0UWXHjWa3dHh4uK6uTpXmNIWX0+Px6HQ64fu9fr+/pKREpGlnZ6cokAaJvXv3bt26NUzxppKpAQCY8qizVzZ//nyPxyOfBy18qjSnKbycPp8vJiaGD/t67969FStWjI2NifLHxcX5fD6amlX5osZUMjUAAFMe1e7HTPk49uEEsWciLNo5AADAxKDsY8bHx2tqahISEoxG45o1a4aGhtB35fbt22exWObOnfvJJ58IvzQXGxv7/vvvJyQkmEymdevW3b17l2GYkZGRlJQUn883bdq0I0eOMAzzj3/8Q9oWqbi0RYZhRkdHN23aZLFY5s2b984774yPj6NsjY2NqampRqNx7dq1Q0NDb7zxhsViiY+PX79+/ejoqHxDQjn/9re/CWWbP3/+rl27gjKuUMe2trbly5dHRUUxDHPhwoVnnnkmNjbWZrO98MILly9fxtoZq7hapgYAAJgAlH1MfX396dOnT58+7XQ6k5KSuru7GYbx+Xw9PT0Oh6O5uVkYzQmdam9v7+jo6Ojo6OzsrK+vZxhm9uzZfAjusrIyhmHKy8ufffbZixcviprDFse2WFlZOTAw0NnZefLkyba2tkOHDqFsdrv97Nmzdrt9YGAgPT3d4/F0dXWdP3/e5XLt3LmTXs7nn38+ZLNeuHDh2WefLS8v51OEG2UFBQXl5eVut/vs2bO5ubkGg4FkZ01NDQAAoDmKd2yCCq7uCi8EN6m4tEVsbC4XXRB7SjlDC8wV8lcPpHbW1NQAAAATgMJ1zMjIiNfrzcjIEKWzLGsymbBFDAbDvHnz0O/09HS3243NZjQaa2pqent7A4HAwoULFYuLWrx582YgEEhNTeVzojWXZdnZs2ejxOTk5FmzZkVHR6PDpKQk4d1ySjmDZeHChYFAoK+vr6amxmg0osRTp05lZ2cj+U0mU1FRUU5Ozuuvv97Y2Pj1118zZDtLFRcSpqkBAAC0huqe/6SH4n+ECOerB5Me7RwAAEBdFHzM7Nmz4+Ligno13e/3X79+Hf12Op2PPfYYNtuWLVsyMzMTExOdTmdNTU2wxa1W64wZM65evYoOe3p6UlJS6IWkbyhYampqnE6n1WrNzMxEMQLGx8f//ve/i55a/tWvfrVu3bqamppPP/20tbU1BDvTq0AyNQAAgNYoX8dUVVVt3Ljx0qVLN27c2LZt2zfffKNYpLq6+saNG99//31tbW1BQQFKNJvNfr//v//9Lzr0+XwOh6OxsTE+Pp6muIjp06eXlJRUVVVdv34d5SwtLVUULCg5dTqd9G0YKWNjY3r9Q+ES4uPjP/jgA4fDgd6bOXfuXGJiIr+td/ny5eeee+6rr74aGhq6fv36wYMHMzMzmZDsrKgCOpQxNQAAgLYo3rEJKrh6mCG4w4xjTxnEnlLOpqam8IPYc2FEO8c2FwnRzgEAACiZxnGcih7r2rVrixYtCjlaX5jFVW/o1VdfdTgc//znP0kZ7t27l56e/vbbb7/yyiukPAsWLDh69OhTTz0Vurg4JsxWAAAAIQMxMeUIP4g9A9HOAQD4BQOx/eWAIPYAAADhAD4GAAAA0AqV78cAAAAAAA9cxwAAAABaAT4GAAAA0ArwMQAAAIBWgI8BAAAAtAJ8DAAAAKAV4GMAAAAArQAfAwAAAGgF+BgAAABAK8DHAAAAAFoBPgYAAADQCvAxAAAAgFaAjwEAAAC0AnwMAAAAoBXgYwAAAACtAB8DAAAAaAX4GAAAAEArwMcAAAAAWgE+BgAAANAK8DEAAACAVoCPAQAAALTifyko6XOp70agAAAAAElFTkSuQmCC)
Screenshot: ![manchesterfoodanddrinkfestival.nutickets.com vulnerability](/twimages/screen-1194316.jpg)
Mirror: Click here to view the mirror
Coordinated Disclosure Timeline
Vulnerability Reported: |
12 June, 2020 12:38 GMT |
Vulnerability Verified: |
12 June, 2020 12:50 GMT |
Website Operator Notified: |
12 June, 2020 12:50 GMT |
a. Using the ISO 29147 guidelines |
![](/images/done.png) |
— |
— |
b. Using publicly available security contacts |
![](/images/done.png) |
c. Using Open Bug Bounty notification framework |
![](/images/done.png) |
d. Using security contacts provided by the researcher |
![](/images/done.png) |
Public Report Published |
|
[without any technical details]: |
12 June, 2020 12:50 GMT |
Vulnerability Fixed: |
11 September, 2020 02:42 GMT |
— |
— |