logo
DATABASE RESOURCES PRICING ABOUT US

comune.brognaturo.vv.it Cross Site Scripting vulnerability OBB-1194370

Description

Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[comune.brognaturo.vv.it](<http://comune.brognaturo.vv.it>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[XSS (Cross Site Scripting)](<https://www.owasp.org/index.php/Cross-site_Scripting_\(XSS\)>)** / CWE-79 CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **xav0 ** Remediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAJe0lEQVR4nO3cXUhT7x8A8JP7p3McXxrbmtvyN1eYRBTFMC9ERAp0DDGQIbJMuthFmAyREKElGSZmIF6YgRfifbZGiMSCMBkiY57mC3MOc3POl9acNsaK5fldPPwO53+2nY1q2sv3c3We787L9/s84rNzzqPHSJLEAAAAgDTIOOoEAAAA/LFgjgEAAJAuMMcAAABIF5hjAAAApAvMMQAAANIF5hgAAADp8kvMMUVFRe/fv0/UBH8qGGgA/nhHP8fMz88fHBxcvHgxbhP8qWCgAfgbJJlj3G53Tk5O3I/29vYePXqUqJk6k8lUW1ubqPmLY+mfw/fdQ5AO9J6JmxhjoJ8/f37jxg0Mw16+fHnz5s3YkyRSU1Pz7Nkzav9j/6+mpiZu8KfUCABI6vvvY4LBYE9PT6Jm6n7rOeaX8t1DkA7//POP3+9H23ETYwy0y+UqLi7GMMzpdKKNVCwvL9tstqamJiqC43iExmQyJQoCAA7BET8r29zcdDqdlZWVcZvgt5aVlZXoo9iBpqYWh8OR+hwzODio0+mys7MZ16UcP36cJQgASDuS1draGo7jAwMDcrmcz+drtdpgMEiSZDAYpM4wOjpKbz558gTH8b6+PpFIlJ+f39TUFA6HE51/eHhYo9HEbUaj0Y6ODpFIxOPx6uvr/X4/SZKhUEin0wkEAplM1tXVFY1GqST7+/vlcjmPx9NoNH6/v729XSAQ8Pn85ubmUChE7UYvLT8/n3F4fn5+Y2MjqhGJRCK3bt3CcbywsNBgMKArMvqnt7eXUSyK9/T0CAQCsVg8MjKSKHmSJH0+n0qlwnFcLpf39/cnzWp2drasrIzL5QoEgvr6eq/XGzsi7MWmmBhFo9E8fPiQapaVlZWWljIio6OjsT0Tm1jccU/0k5moe5FgMMjn87e2tugX5fF4ra2tIpFIJBLp9fpoNBo3SAIADkXy+5hQKEQQhMVimZ2d9fl8HR0dGIbl5eU5HA70CEKr1dKb169fD4VCs7OzVqvVarXabLa+vr5EJ2d5UNbX12c2m81ms9PplEgkS0tLGIa1trb6fD6bzTY5OWkymYaGhuhJTk9PEwTh8/lKSkr8fr/dbp+ZmVlbW+vs7Exao91uRzV6PB76/g8ePAiHw3a7fXJycmpqanh4OPZY63/oxYZCIYfDsbCwMDo6Wl5ezpJ8S0tLZmamy+Uym81jY2NJs7LZbDqdbmtra2FhQSaTtbS0xI4Ie7EpJkbRaDRGoxFtb25uEgTR0tLCiNTV1cW9XNzEGOMeiUQKCwt9Ph99g717MQwbGRlRq9UnT56kXy4cDuM4vrCwYLFYzGbzwMBAoiAA4DCwT0Fra2sYhu3v76OmxWJRKBTUR4xvyqiJDvF4PCg+Pj6uVCrRtsfjkcvl1CGhUAjH8UAgELcpEolsNhs9mWg0iuP46uoqappMprKyMuqK1Nf86enpjIwM6guvxWI5c+ZM3ISpr/b0Gqenp6kaSZIUCAToNogkSYIgSktLY/sntlgUp2phST4ajXK5XCo+Pj6eSlYUl8slFosZQ5C02FQSowuHw7m5uajMoaGh2tra2AjjEJZkGANNkmQkEhEIBPQN9u5FFAoFQRBUaejwmZkZagej0VhaWho3GNuTAIB0SH4fg+M4tbZHIpEEAoGkh3C53FOnTqHtkpISj8dDHW6xWKjdXr9+XVpaeuLEidjm3t5eIBC4cOEC/bQ7Oztfv34tKiqizox+B6Ek8/Ly0LZMJsvNzaWe0UskEurlcyo1ymQyqsbd3V2/3y+Xy4VCoVAorKqqoq6YtFgcx6nSWJLf2dk5ODigx5NmNTc3d+3aNalUKhQK0e9Q9upii00lMbrs7GyVSoVuXMbHxzUaTWwk9QQY4y4UCiUSSTAYpG9QOyfq3hcvXsjlcsbS56ysrCtXrlBNtH/cYOrZAgB+xKG+8+dwOAUFBVQz6YoyDodzeMnFE4lEMjIyrFYrQRAEQdjtdoIgjjYlDMPq6uoqKiqmpqYIgpiYmDici6LHZbu7u7Ozs2iYYiMpYgw0QRD9/f11dXUEQQwMDFRXV6fSyYODg3q9PuluBwcHKQYBAOmQljkmEomsr6+jbafTWVhYGLvPt2/fXr16Rf2uYTTz8vL4fD7jj8BFIlFmZuaHDx9Q0+FwyOXy1LPi8/nhcPjz58+o6fV6kx5SUFDA4/ECgYD0P/Q5EkmlWJbkRSJRRkaG2+2m4uwpffz40efz3bt37/Tp01KplMvl/mCxKfaqSqUiCGJsbOzq1avo7io2kgrGQGMYJpVKw+FwcXEx2igpKZFKpdSnibr37du3zc3NQqHw8uXL+/v76EbzzZs3ly5doo5dWlqSy+VxgylmCwD4Qd8/xwgEgkgksrKyErfZ1ta2sbGxuLjY1dWlVqupo758+YI2LBaLWCymHtEwmhiG6fV6nU43Pz+/sbFx586dd+/ecTichoYGvV6/vr6OztzY2Jh6wjk5OUqlsq2tbXt7e2VlBS1eSEqr1d6+fXtxcXFzc/Px48fd3d30KtiLpUuUPIfDUavVer3e7XajOHs+QqGQz+c/ffp0b29vZWWFvj99CFIvlqVX6WVmZWVVV1cbDIaGhoZEkdieiU0sdqAxDPN4PGjyoDbo4nav1+tFt5UTExM4jqMbTaVS6fV679+//+nTp7m5OYPBoNVq4wbZOxkA8NOwv65J9OoY6erq4vF41IJU1ERrl+OuN6Wfrb29vbOzkzoVo0mSZDQavXv3rkAg4HK5dXV1SdcuJ0qS3nS5XFVVVTiOnzt3bnBwkL6cN9HhkUhEr9fLZDIej6dSqVZXV2PfZscu1GacE0m0RHhra0utVqO1y729vUmzmpqaUiqVXC5XLBa3tbUlGpFUimVJLHZPo9GI4zh99TAjwvKen0osdqBJktRoNBMTEyRJNjY2Go1GetVJ18EzxstqtZaXl+M4rlAo+vr6WIIAgENwjEzw1wnfze12nz9/nnpKk8jZs2fHxsaol7GM5l9reXm5oqJie3v7qBNJFxhoAP4q/zuqCy8vL7M0/1oEQSgUiqPOIo1goAH4qxzZHAMo3d3dEomktrZ2dXW1s7PTYDAcdUYAAPBzHP3/9geVlZVDQ0MymUyr1ba2tlL/dRgAAH53P/99DAAAAIDAfQwAAIB0gTkGAABAusAcAwAAIF1gjgEAAJAuMMcAAABIF5hjAAAApAvMMQAAANIF5hgAAADpAnMMAACAdIE5BgAAQLr8C1cHc/aL93+kAAAAAElFTkSuQmCC) --- HTTP POST data: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAJTklEQVR4nO3cX0hT7xsA8JNNXXpWOrdpulAjVhdhEiZGFpFiEhKD0pJWLRKzMBnDouyitYtZa13UhXRhYBB1EyK7EAOJGENMaxzXWDY01tBlMceMo02bne/FocPY+bPT1lF//p7PlXt9z/s+z9Pbnp2zaANBEAgAAAAggJTVDgAAAMC6BT0GAACAUKDHAAAAEAr0GAAAAEKBHgMAAEAo0GMAAAAIBXrMSiguLh4bG1vtKIBQxsbGLl++zDHh169fjY2N375947ManBawnkCPEdyHDx9+//69Z8+e1Q4ECEWr1RYVFXFMSE1NTUtLa29vj7sUnBawzqyhHvPlyxeJRMJ/PPntsrOz+ayfZABWq/X48eMJX/5XMczNzXV2dvJZh0p/xfyrFNaC6CBnZ2edTqdOp6N+u7i42NjYGJOsTqcbHByMu/KaOi0AJG8N9ZjVUlhYGAgEhFv/n7xr8AwyFAqZTKYk9xLIOkiBEh0kjuMZGRnp6enky8XFxdra2kgkEnOJVCrFcTzuynBawDoDPQZBEIR6g2AkEolUKlViK3/9+tXj8Rw+fDixy6NxB8kTlUsySSXsn6Swxs3MzFRXV1sslgSuXWunBYDkxe8xo6OjBw8elEgkBQUFJ06c+PjxI4Igi4uLFy9elEgkhYWFt2/fXl5epibv379/06ZNcrm8vr5+enqavG3v7OyUy+Vbt2598uQJgiDLy8s3b97Mzc3NzMysr6+fnZ2ltnv48GFxcXFOTs7Zs2fn5uao8Xv37uXm5mZnZ58/f/7nz59s2yF/HhQ8ePCguLg4Ozv7zJkz1DrT09NHjx6VSCQ7d+58/vw5ORj3wUJBQcH79+/Jn1+9ehW3YtFzrFZrTU1NamoqWyUZq0EvWnSQ5M/379+PKcjc3FxRURGO4xs2bHj69CljqFQuBQUFb9++5ZlU9ATGLARKgTE2tmsZT9r8/PylS5fkcvm2bdvu3LlDHtToE5KZmXnq1KnZ2dlr167J5fKcnJwLFy7Mz8//VZDRCgsLb926xV1Pttqu4mlhLDUAyYvfY+rq6rRarc/ns9vtlZWVYrEYQRCj0biwsOB0OgcGBmw22+PHj8nJDoejubl5ZmbG5XIplcrW1lYEQXAcHx8fd7lcPT09lZWVCIKYzebBwcHBwUGPx5Ofn+92u8nLcRzHMGxoaGhkZMTv99+4cYMaf/eHw+Ewm80c25HznU4nuY7P5+vo6CDHW1tbN2/e7Ha7+/v7qR4TQ04T/VutVltVVUW1nBijo6NVVVVarZYaiX70wVhJtmrQixYNx/GRkZGYgmzZsmV8fBxF0XA4rNFouEPlmRQ9I8YsBEqBLTbGaxl3bGtr8/v9DodjYGDAarV2dXVRMzEMs9vtGIb5/f5du3YFAgGn0zk8POz1eqkDwzPIxKyp08JWagCSRXAKBoMikSgcDseMy2QyHMfJnzEMKy8vp187MTGRl5fn9XoRBAkGg9G/UigUDocjZj4588ePH+TLoaGh7du3U+M+n48c7+3tLSsrY9uOvo7dbifXiUQiYrE4ep2srCxyPoqi1DpTNNG74DhuMpmkUmlDQ4PH46HGPR5PQ0ODVCo1mUxUZXAcR1GUzJ2tkozVoBctOkiOgkRPYwuVjnEmY0ZsWQiUAmNsbNfSd4xEIiiKfv78mXxptVorKiqomaFQiBy32+0pKSkLCwvky6GhoR07dvAPMiZgtsHokTV4WhhLDUDy4vQYgiBOnz5dWlqq1+stFsubN28IgggGgwiCyP6QSqUKhYKc7HA4qqur8/PzyfGsrCz6X7ZQKCQSiSKRSMxGMTO9Xi/VA8RiMTXudrs5tuNYx+/3x6zDOJ+PYDCoVqtFIhE1IhKJ1Go19bZF6u3tPXLkCPWSXkm2anC/Q3EUhH4hPVSeSTFmxJiF0CnExMZ2Lf1Cv9+flpZGvfR4PNSnEMYTEvOSZ5AJ9Jg1e1qIvzkwAPAR/1nZixcvuru7S0pKlpaW9Hr91atXw+FwSkrKu3fvMAzDMMzpdGIYRk5Wq9WHDh2y2WwYhvX393Msu3HjRt73Wqz4b8cf97MyBEEmJydbW1ttNpvRaKQGjUajzWa7cuXK5OQkNRjzb4TolaR+9U+qQccYKs+ZjBkh7FkIlAJjbP/r1uZpQdZjqcHq+6uOhGGYUqkkCAJFUfrDru/fv0d//MEwjPE+hiAIhUKBYVjMIMd9DBJ1s9/X10fe7DNux7FOzLOyvr6+BJ6VtbS0oCiq1+sDgUBM/IFAQKfToSja0tJCbieTyagHNTGoSjJWI+4nU8aCxEzjCDUG28yYjDiyECgFxtjYrqXvyPGsjOd9DJ8gE7iPIdbeaSH+5sAAwF+cHuN2u2tra1+/fh0IBHw+X1NTU11dHUEQLS0tFRUVLpfL7/ebzWaj0UjOVygUXV1doVDI4/Go1Wq2HmMymcrLy51O59TUFPm5iYjXY06ePDk1NeVyuUpLSw0GA9t2HOsQBKFWq6PXSeBZmUaj8Xq9HBO8Xq9GoyEIwmaz7d69O24lGavB512DsSA4jotEIvJhetxQeSZFZcSRhUApMMbGdi3jn2NTU9Px48d9Pp/L5dq7d++jR4/oM7l7TNwgfT5f9MMoerKkiYmJ6F1iarvqp4Wx1AAkL06PWVpaMhgMKpUqLS1NoVBoNJqZmRmCIMLhsE6nUyqVGRkZx44doz5/2Wy2srIysVicl5en1+vZekwkErl+/bpMJhOLxWq1mvzcxNFjUBQ1m80KhSIrK+vcuXPU17P07TjWIQhiamqqpqYGRVGVSmWxWBL+PoaP9vb2jo4O6iVbJRmrEfddA0XRu3fv0gtCEITBYMjIyOjp6fnnGXFksZIpsF3L+OeI43hzc7NMJlMqlQaDgfwmg3+P4RNkOBwWi8UxX5LTg3n58mVJSQlbYdflaQGA4POdP0iMSqUaHh4WYmWBmuJKSiaFFUuf/0ZtbW3RX9fThcPhoqKi7u5utglwWsB6JVq5b37+z3z69Gm1QwArxGKxUP/shVF6evqzZ88OHDjANgFOC1iv4P+SASBZqamp+/bt457D0WAAWMegxwAAABDKBoIgVjsGAAAA6xPcxwAAABAK9BgAAABCgR4DAABAKNBjAAAACAV6DAAAAKFAjwEAACAU6DEAAACEAj0GAACAUKDHAAAAEAr0GAAAAEL5D5A960zDX/SpAAAAAElFTkSuQmCC) --- **Screenshot:** ![comune.brognaturo.vv.it vulnerability](/twimages/screen-1194370.jpg) **Mirror:** [Click here to view the mirror](<http://1194370.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 12 June, 2020 12:45 GMT ---|--- Vulnerability Verified:| 12 June, 2020 12:57 GMT Website Operator Notified:| 12 June, 2020 12:57 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 12 June, 2020 12:57 GMT