logo
DATABASE RESOURCES PRICING ABOUT US

rmcg.es Cross Site Scripting vulnerability OBB-1194403

Description

Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[rmcg.es](<http://rmcg.es>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[XSS (Cross Site Scripting)](<https://www.owasp.org/index.php/Cross-site_Scripting_\(XSS\)>)** / CWE-79 CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **xav0 ** Remediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAGE0lEQVR4nO3cX0hTbRwH8MfNYrWz1nJqm1Y7MkhCTGrYiFXDiygaQlQEsVgRRESFCElKVCQkKEaRRBcV6U1XRUgXEYOixghbsvyTc4V4Zm4U28nVyY7gtvfivO9hbPPP6+uZf97v5+r5Pec8D7/d+GXPOTMnkUgQAAAACcgWugEAAFi2kDEAACAVZAwAAEgFGQMAAFJBxgAAgFSQMQAAIJVFkTE0TX/8+HGqcpFbWt0CAGTTwmdMb29vPB7funVrxnKRW1rdAgBk2QwZwzCMSqXKeCkajTY1NU1Vzl5nZ2d1dfVU5SK3tLoFAMiyuX+PGRsbu3HjxlTl7CFjAACWqwU+KwuFQn6/32q1ZiwXuaXVLQBA9s0qY27fvk3TdF5e3vHjx6PRKCEkGo0aDAaO43Jyctrb25PLmzdvqlSqlpaWwsJCjUbjcDj+/Pkz1c6dnZ179+5dsWJFSimc0TU1NeXn5+t0ugcPHggzra2tNE0rlcqjR49GIpGLFy/m5+fn5eWdPHny9+/fwiaxWKy+vr6wsFCpVB45ciQSiRBCQqHQgQMHVCoVTdOtra0ajSa9mYmJiVOnTqlUqk2bNl29ejUWiwnz79+/37Vrl0qlKioqOnTo0MDAQMbmAQAgxcwZw3Gc1+t1u91dXV3BYPDSpUuEELVa7fP5KIried5utyeXBw8e5Diuq6vL4/F4PJ7u7u7m5uapNp/moIzjOJ/P19fX9+jRI4vFInbicrm8Xm8wGCwtLQ2Hwz09Pe/evRseHm5oaBAWNjc3O51Op9Pp9/v1ev2nT58IIefOnVu5cuWXL1+cTmdHR0fGZq5fvz4+Pt7T0/PixYs3b97cu3dPmLfZbCdOnAgEAi6Xy2KxKBSKjM0DAECqxLSGh4cJIT9//hRKt9tdUlIiXqIoKvlOoRSWBAIBYf7p06cmk0kYBwIBg8EgLuE4jqIolmXTS2ET8ZI4MzY2JpQul0smk42Pj4uNGY1GYVxQUNDd3Z38KSYnJxUKxdDQkNjS2rVr0z+sVqvlOE4Ye73eysrKRCLBsmxubi7P8yk3pzQPAADpcmcMIYqixFfL9Ho9y7IzLlEoFBs2bBDGpaWlgUBAXO52u8XbXr58WVlZKR5bpZQURaWcaFEUpVarhXFxcfGaNWtWrVol7hwOhwkh0WiUZdny8vLkhd+/f4/H4zRNiy2l9/zjx49wOGwwGIQyHo/n5uYSQjQazeHDh81mc1VVlV6vN5lMe/bsSe8WAADSzZwx80gul+t0OrGU7o0yuVz+b5fwPC+TyTwejxAthBCZ7O+DxMePH3/48KGvry8YDNbW1u7cufPOnTs4KAMAmJEk75XxPD8yMiKM/X7/xo0b0++JxWLPnz8X/0ynlHOmVqvXrVuX8sP7goICmUzGMIxQ+ny+9IU6nW716tUsyxb9IzkOt2/f7nA46uvrHz58+OzZs/nqFgBgeZt7xmi1Wp7nP3/+nLGsra0dHR3t7++/du2azWYTV01MTAgDt9u9fv168fwqpfwvampqTp8+3dvbOzo6ev78+bdv38rlcpvNVlNTwzCM0FJ6P4QQu91+9uzZ/v7+UCjU0tLS2NhICBkYGNi/f/+rV68ikcjIyEhbW1tFRcU8dgsAsIzNPWOUSuXly5crKira29uTyydPnlAUZTKZtm3bZrFYysvL6+rqhCUMw2i1WmEs3UFZXV2d1WqtqqoyGo1fv37dsmULIaStrW1ycrKsrMxmsx07diy9H0LIrVu3zGbzvn37jEbj69ev7XY7IcRoNJrN5jNnzggPY3iev3//Pg7KAABmIyeRSMzvjgzDlJWV/fr1a/rbNm/e3NHRsWPHjoylpAYHB3fv3v3t27c575DNbgEAlq6sPvNPNjg4OE0pKa/XW1JS8l92yGa3AABL14JlTJY1Njbq9frq6uqhoaGGhoYrV64sdEcAAMvfwv9v/+ywWq13794tLi622+0XLlxwOBwL3REAwPI3/89jAAAABP+X7zEAAJB9yBgAAJAKMgYAAKSCjAEAAKkgYwAAQCrIGAAAkAoyBgAApIKMAQAAqSBjAABAKsgYAACQyl+yyX4tLeDN0wAAAABJRU5ErkJggg==) --- HTTP POST data: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAHTUlEQVR4nO3cb0gTfxwH8LNuuuxGOuZpOtCeWA/EfGBWZBEpISExKCVh1MAIC6MxJPoHjT2YYXscPSiwCHoSEj6IAos4elLaONdYa2hsw8pijlmHbTa734PxO47d/lzbLqe9X4/a3ef7/X4++8J9vK9SCc/zBAAAgAI2rHYCAACwbqHHAACAUtBjAABAKegxAACgFPQYAABQCnoMAAAopYh6zLZt26anp1c7C5Blenr67NmzGQJ+/frV19f39etXObNh6wHWq2LpMe/evfv9+/fOnTtXOxGQxWQyNTQ0ZAhQqVSlpaVDQ0NZp8LWA6xjBesxgUBAo9HkPHx8fPzo0aN/J4fFxcXh4WE58wQCgcrKyjyz+lNyqshaQj6TZ11xYWHB5XKZzWbhbiwW6+vrS5rZbDZPTExknbmoth4ACqtY3mMK8qCpr68PhUJZwyKRiN1uz3Mt5cip4u+XIF6R47jy8vKysrLEx1gs1tXVFY/Hk4ZotVqO47LOjK0HWMcK1mNIkmxsbMxt7JcvX3w+38GDB/NPQ3jw5UOoJZ+i8lGQKv6a+fn5zs5Oh8ORw9hi23oAKKzsPWZycnL//v0ajaauru7YsWPv379PGVZXV/f27Vvh47NnzzJPKw4YHx8/fPiwSqXKsOLKysrly5erq6s3b97c09OzsLCQOB4ZHh6uqqraunXr3bt3xQcmiX/fvHmzurq6srLy1KlTP3/+JAhicXGxoaGB47iSkpJ79+6lTFWopa6u7vXr1zIrEsfILEHIM2UV+ZSQyGHv3r2bNm2qqqrq6en59OmTNCYWi/X392s0mvr6+uvXr6+srKRMSbqiWH19/dWrV7N+OdJviSi+rQeAwsreY7q7u00mUzAYfPXqVXt7u1qtJgiiSiJplMlk6ujoEHcdweTkZEdHh8lkEq4knZakXHFkZGRiYmJiYsLn89XW1no8HoIgOI7zer1ut3t0dLS9vT1pIY7j3rx5MzU1NTU15XQ6R0ZGCILYsmWL1+ulKCoajRqNxsypyqxIWpT8EjJXkU8JTqfzzJkz8/Pzbrdbr9cPDg5K07bZbEtLSy6X6+nTpwzD3L59O2VK0hVzs0a3HgByx2cUDodJkoxGo0nX5ySSAjiOs9vtWq22t7fX5/MlLvp8vt7eXq1Wa7fbOY4TIimKCofDmVekadrpdIqv+P1+giCEgYkrFEWJ7waDwcTHsbGx1tZWaVi6VKXShUmLkl9C5ioKWMLMzExNTY10oE6nEzaCZdm2traUKfGS71Y8SbqL4itreusBIGdZegzP8ydOnGhpabFYLA6H4+XLl380ezgcNhgMJEkmPpIkaTAYIpGIOGZsbOzQoUOZV4xEIiRJxuNxcVjmh5rf71er1cItj8dD03S6gdJUZVaUriiZJWSuIs8SnE5nZ2dnbW2tTqfTarUVFRVJA8PhMEEQuv9ptdrE/FlbSA49Zh1sPQDkIPtZ2cOHD+/cudPc3Ly8vGyxWM6fP0/IOCsjCGJ2dnZwcJBhGJvNlrhis9kYhjl37tzs7KwQJv2zopQrEgSxceNG+e9nf0SaqvywlEUVQwkGg+HAgQMMw7As++TJE+mQaDS6YcOGqakplmVZlnW5XCzLKpTeWt96AMjRH3UklmX1ej0v46xsYGCAoiiLxRIKhcTXQ6GQ2WymKGpgYIDn+Xg8rtPpPn78mHVFmqZZlhXfyvrDLCE6MHn8+HG6A5N0qcqsSFqU/BIyV5FPCd++fRP/YM6yrPQ9hud5iqJSHt8V/D2GX8tbDwA5y9JjPB5PV1fXixcvQqFQMBg8ffp0d3e3nHmNRqPf70931+/3G41GnucZhmlqapKzot1ub2trc7lcc3NziR885Txojh8/Pjc353a7W1parFZr4hbHcSRJCufvmVOVWZG4KPkl8DJ6TM4l0DR969atSCTi8/kMBkOix3z//p0kSa/Xmzh9GhgY2LNnj9vt/vz588jIiM1mS5lS0orBYFB8GJWUtmBmZiaxaMpvaQ1tPQDkLEuPWV5etlqtjY2NpaWlNE0bjcb5+fkCLj80NHTlyhU5K8bj8YsXL+p0OrVabTAYQqFQ1gcNRVE3btygabqiouLkyZNLS0tCpNVqLS8vHx0dLWAtOZTAZ+sx+ZTAMExra6tara6pqbFYLMLj/tKlS8LAaDRqNpv1en15efmRI0cSbxUpe4x4xWg0qlark35JLh316NGj5ubmdOmty60HgCQlPM+vziEdQRAEsX379vv37+/evbvgMwcCgaamph8/fhR85r+mmEu4cOGC2+1+/vx5uoBYLLZjx45r16719/enDMDWA/wLyNVd/sOHD6ubAOTG4XBk/gOBsrKyBw8e7Nu3L10Ath7gX1As/18ZrC0qlWrXrl2ZYzI0GAD4R6DHAACAUlb59zEAALCO4T0GAACUgh4DAABKQY8BAACloMcAAIBS0GMAAEAp6DEAAKAU9BgAAFAKegwAACgFPQYAAJSCHgMAAEr5D609ZDT3J/oBAAAAAElFTkSuQmCC) --- **Screenshot:** ![rmcg.es vulnerability](/twimages/screen-1194403.jpg) **Mirror:** [Click here to view the mirror](<http://1194403.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 12 June, 2020 12:48 GMT ---|--- Vulnerability Verified:| 12 June, 2020 13:00 GMT Website Operator Notified:| 12 June, 2020 13:00 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 12 June, 2020 13:00 GMT