logo
DATABASE RESOURCES PRICING ABOUT US

ccisbonds.com Cross Site Scripting vulnerability OBB-1194838

Description

Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[ccisbonds.com](<https://www.ccisbonds.com>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[XSS (Cross Site Scripting)](<https://www.owasp.org/index.php/Cross-site_Scripting_\(XSS\)>)** / CWE-79 CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **xav0 ** Remediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAJdElEQVR4nO3db0hT3xsA8NucOufddDhnmqazmiJiI2RJWImEhQ1RWgRmWSQZIWKiYb4w84WZZn8MpJfqi3oXMkJERi+GDDGTaWIqInPYNJnzT1dbMne/Lw7f/e7v7t67aVuub8/n1c7Zuec89zkXn3amdIAkSQwAAADwA95+BwAAAOA/C2oMAAAAf4EaAwAAwF+gxgAAAPAXqDEAAAD8BWoMAAAAfwncGiOXy8fGxtiaIKDA7gAAGAVojfn8+bPT6Tx+/DhjEwQU2B0AABsPNWZ+fl4kEjG+tb6+/vjxY7bmL9JqtQUFBWzNgMKRIi8H7HldiUTi82n3wOe749tnCdvrFty7dy8sLKy7u9uHkQDwt9n755i1tbXm5ma25i/6g2pMYmKi1Wrd7yj2k893x7fP0t6srKx0dHQMDQ2VlJTsbyQA/NH4+x0Ag8XFxZmZmZycHMZmAAoNDd3vEPZN4O/O3hAEIRQK4QAQgF/k1eeYly9fyuXyqKioa9eura+vYxi2vr6elJREEMSBAwe6u7upzWfPnolEora2tpiYGIlEUlpa+uPHDzTPx48fT58+LRKJDh06dOnSpS9fvjAup9Vq8/LygoODac2ioqK2tjbUOTY2FhoaioLBMKy8vLy2tpZ7wLFjx7gvp4Wxs7Pz4MGDmJiY8PDwy5cvr6ysMHbSzmHY7vHJkyfuCdnc3CwvL4+Ojk5ISHj06NHOzg7278FOe3u7XC6XSCRXr151xfn169fz58+LRKKUlJQ3b954XNTj7XgMIDw8/MqVKysrK7W1tdHR0VFRUTdv3tzc3GTcLBReeHj4kSNHnj9/jo7yaPmhHvExrk57tDAM+/nz561bt0QiUWJi4sOHD9EwNouLixcvXhSJRHK5vL293eNxImNaVlZWaM+zl9kAANB4rjEEQRiNRoPBMDw8bLFY6urqMAyLiIiYmprCcdxut5eUlFCbRUVFBEEMDw+PjIyMjIyMjo62traiqdRq9Y0bN8xm8+DgYHZ2tkAgYFyR7aBMrVbrdDrU+f79e6fT2d/fj5o6nS4/P597QGFhIffltDBaW1t1Op1Op5uZmYmLi5ucnGTrpGK8R4IgRv5FTUhlZaXFYhkdHe3v79dqtZ2dna6cj4+Po5ybzeb6+nrUX1FRIRaLJycn+/r6qDXGm8QyRs4RgNFoHBwcNBqNFoslNTXVarWOj48PDQ2ZTCZXPLTNQuFNTU0NDAx0dXW5x0DDuDrt0cIwrKmpaWtra3x8vL+/X6/Xv379mmPOioqKkJCQ2dlZnU7X09PjMQbGtERFRdGeZy+zAQCgIzmZTCYMwzY2NlDTYDAkJye73sJxnDoSNdElZrMZ9b979y4zM5MkSZvNxufz7Xa7+ypmszkpKQm9JggCx3GbzebetFgsQqEQzaBSqaqrq4uLi9GKYrF4e3ube4DZbOa+nBaVTCYbHR312EnNA+M9siXE4XDgOD43N4f6tVptVlaWe84HBwdRzh0Oh0AgoM4TGRnJnVjuyLkDWFtbcwXA4/G2trZQ02AwHD16FL2m7g5beO7PCepnW939EqlUShAEem00GlUqFds9ohhcc7LFwJ0WWgzeZwMA4M7z9zE4jrvOOuLi4mw2m8dLBAJBQkICep2ammo2mzEMk0gkGo0mKysrNzc3Li4uMzPz7NmzrmkNBgN6PTAwoFKpXEcc1GZsbKxCoTAYDGlpaRaLpaGhQaFQ7Ozs6HS6c+fOBQcHcw9ISEjgvpx6C+vr6zabLSMjw2MnFds9MiZkeXl5e3tbLpe7+tGPM1rO4+PjUc6Xl5cxDKPOw72ox8i5A4iIiHAFIBaLw8LCXJvl+h0H6u6whceGY3Wq1dVVq9WalJSEmk6nk89nfWiXl5edTid1Tu4YPG4o4mU2AADufut3/m/fvv306dPExITFYqmurj516tSrV68wDAsKCoqNjUVjuH+jLD8/X6fTzc3NqdXqiIgIpVKp1+upJ13cAzxeThMUFORlJ8c91tTU7C5Nu8eWWBruyPfgN/y+n91u5/F4IyMjrtLC4/n4j7p8nhYAwP9wf8xhO+hgfIvxrKy3txcdDdEYjcb4+Hhap8PhkEqlrrMOWpMkSYPBoFKpCgoK+vr6SJLs7OysrKw8ePCgxWLxZoDHy6lkMpnRaPTYyXEOg+6RLSEcR1Vsh0vUw6je3l7XXnhMLGPkuw3APR7aZjGGt7GxwePxqEd/uz0rw3Gc8TjLHYrBZDKhppdnZe67TP7/8+xNNgAAjPZeYwiC4PP5MzMztCb6karRaBYWFiYmJpRKZWNjI0mSk5OTFy5c+PDhg9VqNZvNZWVlarXaNTP6OkGv16enp7s6aU1EJpPJZDI0fmFhQSwWK5VK7wdwv0v9VqO5uVmlUo2Pjy8sLFRUVOj1esZOaooY75EtISRJlpWVFRQUmM3miYmJEydOdHR0cOe8sLCQOg/q50isx9vZbQDUpvvuMIZHkqRKpSorK1taWpqZmcnOznb1M65Ouj1ad+7cycrKQp/SWltbm5qaSHYajaawsNBkMk1MTGRkZLjqHJ/Pn5qacjgc3qSFhBoDgI/svcaQJNnY2CgUCru6uqjN9vZ2HMdbWlpkMllkZOT169fRF6Tb29uNjY0KhSIkJEQmk5WUlCwtLdFWqampqa+vd81PayLFxcUajcbVzMzMpI3hHsDxLu1mHQ7H/fv3pVKpQCAoLCy0Wq2MndSrGO8RDWhtbaUlhCRJgiBu374tlUrj4+MbGxvRT0COnC8sLOTl5eE4rlAonj59ivrZEuvN7ew2AGrTfXdQeEKhMDk52RUeSZKzs7O5ubk4jqelpXV0dFD/meK+OkJ9tOx2e1VVVXx8vFAozM/Pp36udbe0tKRWq3EcT0pKamlpca1VV1eHJvQmLSTUGAB85ABJkr49fJufn09PT//+/fserk1JSenp6Tl58iRjEwQU7t2Zn59XKpWrq6u/OSqq6enpM2fOfPv2bR9jAOAvF1h/5z89Pc3RBAEl8HfHaDQmJyfvdxQA/NUCq8YA4I3o6GjG/rm5uRcvXsTFxRUUFMzNzdXX1zc0NPzm2AAAVFBjwJ/HaDQy9otEopycnKqqqrt37x4+fLiysrK0tPQ3xwYAoPL99zEAAAAAEqD/RxkAAID/AKgxAAAA/AVqDAAAAH+BGgMAAMBfoMYAAADwF6gxAAAA/AVqDAAAAH+BGgMAAMBfoMYAAADwF6gxAAAA/OUfYRXbI8v5ZCEAAAAASUVORK5CYII=) --- HTTP POST data: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAIn0lEQVR4nO3cb0gTbxwA8HOeOvRGOrdpzVAjJHphvrAIMgiNqJAQItOSWgRmkjKGhdmLloGWfwgiohcGBkFvQmKvDITCRExLzvl/pvjn5z/Yhsppp53t9+LoOO7fbs7TU7+fV7un53nu+/3ucc/uthXi8/kQAAAAQAGa7Q4AAADArgV7DAAAAKXAHgMAAEApsMcAAABQCuwxAAAAlAJ7DAAAAKXAHqNeycnJPT092x0FUERPT8/du3clOvz58yc/P39+fl7mhLBagDrBHqNSvb29f//+PXbs2HYHAhRhsViSkpIkOoSFhYWHh5eVlcmZDVYLUC0/e8zExIROp+M/3jUUSir4aR0Ox6VLl7YgjMXFxerqajmTTExMxMTEBBlSoDYlBTVgB+nxeJxOp9VqZf51dXU1Pz+fk6nVam1paZEzuXpWCwAcAVzHJCYmut1u5UIBbJvyqiHnKVtYWKiqqgryRMrZBSnQ2EESBBEZGRkREUEfrq6unj9/nqIozhC9Xk8QhJzJYbUA1QrsXhnzVwGkoSiakpKy4eGzs7Mul+vMmTPBRxL8U8bkEmRSG7brV93c3NzZs2fr6uo2NlxVqwUAjgD2GPal9Pr6+sOHD+Pi4qKioq5cueLxeOj21dXV27dv63S6xMTEx48fr6+v06Pq6+uTk5NjYmKuX7++uLjIzNnV1XX69GmdTmc2my9fvjw4OCg4CXN2/jycC3zmfg67f1RU1NWrVz0ez/37941GY2xs7K1bt5aXl5lRz58/j4uLi4mJuXnz5u/fv8VyYaatrq42Go379+9/+/atYK3MZvPPnz+Zw8+fP0vXltPB4XCcO3cuLCxMrESC9efHxr7NpdPpamtrOWkuLi4mJSURBBESEvLu3TvBUJlczGbz9+/fZWbE7rPtKUgMF3xCl5eX79y5YzQaDx48+OTJE84yllhO8oNkS0xMfPTokd96CtYWUdlqAYBjg5/519TUtLS0tLS0uFyuAwcODAwM0O2VlZUrKytOp7O5ubm1tfXNmzcIghAE4XQ629vbOzs7JycnKyoqmHmys7MtFsvk5GRbW1tGRoZWqxWbRHoeQQRB4Dje1taG4/jMzMyRI0fcbrfT6ezo6BgfH2eGEwTx45/u7u6amhqJXOj+Q0NDfX19jY2NGRkZCIIYeTiRWCyWrKws9q7D6OrqysrKslgs7Eb2rQ/BEonVnx8buxqdnZ2cNPft2zc0NIRhGEmSBQUF0qHKzIiflEpSEBwueMbS0tKZmZnu7u7m5maHw/H69WskkOUkJ8gN4y8Y9a8WsKf5JI2Pj2MYxn9sMpm6u7v5/Q0GA0EQ9GMcx0+cODE+Po4gyNLSEt3Y1tZ26NAh+rHX60VRlCRJv5PQZxechx0VfRgdHc30X1hYYPprNJqVlRX6sL29/fDhw0y3yclJur2pqSk9Pd1vGF6vlx3wfzycjAiCqKqq0uv1ubm5LpeLbnS5XLm5uXq9vqqqijkR3RnDMPoUYiUSrD8/NqY4EmlyCigYKp9YN35SKklBbDj/jBRFYRg2NjZGHzocjpMnTwa/nMT+lPiZirUILpgdsVrAXraRPWZhYQFFUYqiOJ29Xi+CIIZ/9Hq9yWQS2wNoeXl5aWlpNputrq7u69evYpP4JPeSgNr53bRaLdM+MDBAn05mGAHxer05OTkoitKHKIrm5OQwL1uMpqamzMxMiRKJ1V/iRUosTbGMOKHKzEgsKTWkIDacP3ZmZiY8PJw5dLlc8fHxQS4nn8ifkszcaYK13UGrBexNG/99TGhoKKeFJEmNRvPjxw8cx3EcdzqdOI5LT/Lhw4eGhobU1NS1tTWbzVZSUrKBSZQQUBh+75UhCDI6Onrv3r3W1tbKykq6pbKysrW1tbi4eHR0lN2T8x0hfonodn79Nws/VPndBJNSbQo7i2Btd8pqAXuX9BYkca8Mx3F+fwzDOFfl0m8A2XAcT0hIEJxEYp6lpSWNRsO+hxbodQzCui3w6dMn5raAnDBofu+VFRUVYRhms9ncbje73e12W61WDMOKioroFoqiDAYDc6NGrESC9Zd+ZyqWJmeUWKgyMxJMSg0piA3nn1HsXlmQyyn46xgfr7Y7ZbWAvczPdYxerydJcnh4mP5WFcNqtRYWFvb29k5PT5eUlHz79o1uLygoKC4u7u/vn52dra2tffr0qcTkg4ODFy5c+PLli8fjmZqaevXqVVpaWqCT6HS69PR0m802Pz8/MjJSXl4unZEgm802PT3d399vt9uzs7MDzcXMw+lAEERfX199fX1sbCy7PTY29sWLF319fczPINrb2+Pj45OTk+lDsRKJ1X8DaRoMBpIkR0ZGpEOVmRE/KVWlIDicIzQ0NC8vz2q1Tk1N0T2vXbsmJzb5QWo0Gv6vYfgoikJRlN3Cqe1OWS1gT/O7C5WXl0dGRjY2NrLfwlAU9eDBA4PBoNVqc3JymHcxJElardaEhITIyMiLFy+OjY1JvAFcW1uz2+0pKSnh4eEmk6mgoGBubk5wEp/kdcmvX78yMzMxDDt69OjLly8DvY7BMKympsZkMkVHR9+4cYP5IFdOGJuurKysoqKCORQrkWD9pd+ZYhj27Nkzfpo+n89ut9NPsRIZqSQFseGCTyhBEIWFhQaDISEhwW63UxQV0HLyGyRJklqtlvMhOT+Sjx8/pqamStR2960WsPv432PAVkpJSeno6Nj0aZXeGrdAkClsTQXkn6W0tJT9WT0fSZJJSUkNDQ0SfWC1APVD/V/pgC00PDy83SGArVBXVyf9ZZaIiIj379+fOnVKog+sFqB+8P8uA7ANwsLCjh8/Lt1HeoMBYEeAPQYAAIBSQnw+33bHAAAAYHeC6xgAAABKgT0GAACAUmCPAQAAoBTYYwAAACgF9hgAAABKgT0GAACAUmCPAQAAoBTYYwAAACgF9hgAAABKgT0GAACAUv4H5G/KGUiOoI8AAAAASUVORK5CYII=) --- **Screenshot:** ![ccisbonds.com vulnerability](/twimages/screen-1194838.jpg) **Mirror:** [Click here to view the mirror](<http://1194838.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 12 June, 2020 17:40 GMT ---|--- Vulnerability Verified:| 12 June, 2020 17:55 GMT Website Operator Notified:| 12 June, 2020 17:55 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 12 June, 2020 17:55 GMT