logo
DATABASE RESOURCES PRICING ABOUT US

ehssoftserve.com Cross Site Scripting vulnerability OBB-1194851

Description

Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[ehssoftserve.com](<http://www.ehssoftserve.com>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[XSS (Cross Site Scripting)](<https://www.owasp.org/index.php/Cross-site_Scripting_\(XSS\)>)** / CWE-79 CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **xav0 ** Remediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAALJElEQVR4nO2dX0hT/xvHT7Zq6tnUdEttlotaEVESMjSMIqJiyVhlBmZlZH8ulpVklBdmRf8so3+IN0F1UdCFDImQGF0sGWJmy4aZiOhYU2ya1tHWmDvfiw+/w2HnnI/H83PNP8/ras/nnM/zeX+e51mP57Np82iaJgAAAAAgDERFWgAAAAAwa4EeAwAAAIQL6DEAAABAuIAeAwAAAIQL6DEAAABAuIAeAwAAAISLadFjtFrt58+fhUxgFjA9czo9VQHAbCLyPebLly/BYHDDhg28JjALmJ45nZ6qAGCWMUGP6e3tVSgUvJdGRkZu3rwpZIqnvr7eaDQKmZECs/Gp4ty5c9HR0c+ePZMcupmChJzi4y90dVJZ+38q7R+Uxz/Q0Nvbm5CQMCWuuJ4jHh9gmiD9OWZ4ePjGjRtCpnimZ48JN4ODgw8fPmxqaiosLJQcupmChJwuX77c6/VOdqFJzZojlRYRpKUPmJXIIrt8X19fZ2fn1q1bec1ZDEVRMTExc+GgRnJOFy1aJGE5kbPmTqVFCmnpA2Yfop5jHjx4oNVqExMTDx06NDIyQhDEyMhIeno6RVHz5s1Dpz2Mee/ePYVCcefOnSVLliQkJBw5cuTPnz9Cnuvr63fs2LFgwYIQc8+ePXfu3EGDnz9/XrRoEVqXIIiTJ0+uWrUKc7WsrAw/vaysjK3h79+/x44dUygUy5cvv3z58vj4OGbjBEF8+PBh8+bNCoVi6dKl+/bt+/r1K2Z8dHT05MmTKpUqLS3typUryPng4CATrtraWnYkhfzwikQnEjdv3lSpVCkpKU+ePDlw4MD169cZ/dnZ2cgnZo+I8fHxS5cuLVmyJDY2dv/+/YODg2icqx8tWl1drdVqY2NjDxw4MDg4WFZWplKpEhMTjx49Ojo6KpRi3lX6+vp2796tUCi0Wm11dbX405vbt2+H1Bgziy0yISHh4MGDTPpCVE1YKpjQcQVgyoPXz4cPH7Kzs6Ojo1Uq1f79+79//86bVkyCeEsUw/fv33fu3KlQKFavXv3ixQt8PNkICZCcPmCOMHGPoSjK4XDY7fbm5maPx3Px4kWCIOLi4jo6OkiS9Pl8hYWFbHPPnj0URTU3N7e0tLS0tLS2tlZVVQk5Fzooy83NtVqtaPD169fBYLChoQGZVqvVZDJhrhoMBvx0g8HA1nD16tWxsbG2traGhgabzVZbW4vZONJWVFTkcrkaGxtzcnLkcjlmvKSkxOPxtLa2NjQ01NfX19TUEASRmJjIhOv48ePsSAr5wYjs6OhwOp1Pnz7NycnJz8+3WCzoUl9fn8PhMJlMmOkMVVVVVqvVarV2dnampqa2t7ejcV79KDKNjY0Oh8Pj8axZs8br9ba1tTU1NfX09JSXlwulmHcVs9m8cOHCrq4uq9X6/PlzoVIJgaKolv/BW2MURbW1taH0uVwuIVUTlgom8rwChMqD109ra+uJEyf6+/udTqdGozGbzbxpFQqdUIliMJvNSqWyvb39zZs37B4zYTyFKkRa+oA5BI2lp6eHIIhfv34h0263r1ixgrlEkiT7TmSiKS6XC43X1dVlZmai1y6XKz09nZlCURRJkkNDQ1zT4/HExMT4fD6apvV6fWlpaUFBAXKuVCpdLhfmqt/vx0/3+/3sPSYlJVEUhV47HA69Xo/Z+NDQkEwmQ57Z8I4HAgGSJLu7u5FZX1+flZXFjR77tZB/jEgmgDRNj42NofjQNF1TU2M0GjHT2ajV6tbW1pBBXv1o0eHhYTTY2NgYFRU1NjbGBGrlypWMh5AUc1cJBAJyuZxZoq6uLj4+nuZUVwhCNRZShEz6GhsbmbqlJ1Npfr8fE3muAKH00SJS0NXVlZycTPOllTd0mPemECjabNlMtIXesxgBtNT0AXOKiT+PIUmSeexNTU0dGhqacIpcLk9LS0Ov16xZ43K5mOl2u5257e3bt3q9Hj1ch5gpKSk6nc5ut69du9bj8VRUVOh0uvHxcavVun379rS0NMzVBQsW4KczR3MEQfz8+dPr9aanpyMzGAzKZDLMxhMSEvLy8rKysrZt25aampqZmbllyxah8YGBAb/fr9VqmVCgNzMGXj94kUwACYKIjo42GAwWi+X06dN1dXVFRUX4PSJGRkaGhobWr18fIkZIP0mScXFxaFCj0SiVyujoaCZQ7A972TnlXWVgYCAYDLKX4A2LSqViXv/48YMQrjEGdvo0Gg27bsVXGkVRQqHjFSBUHkIp+PTp04ULF9rb2/1+fzAYDAaDjHh2WoUSNNn35sDAAEEQbNnMJXw8MRUiJn3AXOaffuY/f/78lJQUxsR/o8xgMFit1u7u7tzc3Li4uIyMDJvNxpx04a+KuQHh8/mioqJaWlqYfzuioiY4P3z58uXHjx+dTqfH4yktLd20adOjR494x0POZ0TC60e8yPz8/MePHxcWFjY3N9fV1Ynf4/z58yWoxcP97pa0VRwOxxQpIojJVNpUlYeQH5PJVFxcXFtbK5fL3W73rl27MJ7DkaBJEXEBwIwE/5jDPRBDz8K8l3jPyiwWC/e5m6bpQCCQlJTEPGWHmDRN2+12vV5vNBrfvHlD03RNTU1JSUlycrLH45nwqpgbGEiS5B4CYDbOxuFwaDQaoXEJZ2VC/sWIRPh8vsWLF9+/f3/v3r34PbJRq9UOhyNkUOisDBMZtsnNKXcVdNjS09ODTGlnZUyNsYtQSORkK00o8mKKnF0eXD8DAwMymYx9M2bv3NCJLFE2IWdlFouF96yMdztCFSIhfcCcQnqPoShKJpN1dnaGmKhe8/Ly3G630+nMyMiorKxkPDBH1Tabbd26dcx4iIlQq9VqtRpNcbvdSqUyIyND5NUJb2CUnDp1KisrC/3gWVVVdfXqVczG29vbd+3a9e7dO6/X63K5iouLc3NzMePFxcVGo9Hlcjmdzo0bNz58+JAbWHYkhfyIEclQUFCgVCpfvXrFjPBOZwfhxo0ber2+ra3N7XabzWabzYbGufrF9xhuTnlXycvLM5lMPT09Tqdz/fr14nsMt8bE9JjJVppQ5HkFCKVPyI9ara6pqRkeHu7s7DSZTJi9c0MnocfQNG0ymdiy2T2G9z07YYVISB8wp5DeY2iarqysjImJefr0Kdusrq4mSfLWrVtqtTo+Pv7w4cPMB8Jsb+fPny8vL2dchZiIgoKCvLw8xszMzGTfg7+Kv4GtxOfznT17VqPRxMTEGAwG9BOu0Mb9fn9lZaVOp1u4cKFarS4sLOzv78eMUxR14sSJpKQkjUZTWVkZCAR4A8tEUsiPGJEMFouFJEkm7GKmBwKBCxcuJCUlyeVyk8nk9XrROFe/+B7DzSnvKv39/bm5uSRJpqen37p1S2SPIUmyqqoqpMbE9JjJVhomdFwBQukT8mOz2TIzM+VyeXJycmlpKWbv3NBJ6zFut3vHjh0kSep0urt377JXxMRTKHe0pPQBc4oJeowERJaXTqdramoSMoFZgIScdnR0qNXqMOlBQKWFj3+QPmDGEbHf8//27RvGBGYBEnLqcDhWrFgRDjEMUGnh4x+kD5hxRPhvyQDAtWvXUlNTjUZjd3d3eXl5RUVFpBXNeNhf9WbT3d095b9+D+kD8MyjaXpqPfb29q5bt+73799T6xaYrbx///7s2bNOp3PZsmVms/nMmTORVjTjQX+ThsvSpUunfC1IH4Bn6nsMAAAAACAi/3+UAQAAALMV6DEAAABAuIAeAwAAAIQL6DEAAABAuIAeAwAAAIQL6DEAAABAuIAeAwAAAIQL6DEAAABAuIAeAwAAAIQL6DEAAABAuPgPMpaYQOmEhBAAAAAASUVORK5CYII=) --- HTTP POST data: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAHq0lEQVR4nO3cT0gUbRwH8HnXcZVlAlvnHZZeKYXYU5iERZAHkQ4lEhKyaIgsHsQkl2WRCA+xGGxRW0F46OChg9AlJDx5CAoLCZFY13WzLcX/GqzLBkOMNvS8h+Edlvm347qju73fz2ln9nnm+f0eHvc3MzvrX4QQCgAAwAK2ow4AAAD+WKgxAABgFdQYAACwCmoMAABYBTUGAACsghoDAABW+R/VmJqamtnZ2aOOAqwyOzt78+ZNgwa/fv3q6Oj4/v27maNhtQDkxf+lxszNzf3+/fvs2bNHHQhYxev1VldXGzQoLS212+0DAwNZD4XVApAv2WvMjx8/7t+/fwihGFtZWTl27FjO3cfHx69du3Y4MWSdMfk4Kysrx48fP2BU+5KvFApBZpA7OzvRaNTv98vv7u7udnR0KJL1+/1v3rzJeuSCWi0ARS17jUmn06FQ6BBCsVRePjVOnTqVTCazNivkGfsDUpBlBsnzvMPhKCsrkzZ3d3evXLkiiqKii9Pp5Hk+65GxWgDypWjuldE07Xa7c+u7tbWVSCQaGxsPHob8KXYQci4HSSpneUmhwG1vb1++fDkcDufQt9BWC0BxI4bS6bTc8sWLF4IgdHd3Mwxz8uTJu3fviqJICFleXmYYJhQKsSzrcrlGRkakPeFwuLq62uFweDyeZDI5MDDAsqzT6fR6vTzPS8efnp5uaGhgGObEiRPXr1+Px+PG8UgmJib21eb58+cej8d4RFEU79y5w3Gcw+Foa2tLJpN6eUntpdcPHz7kOK6ioqKrq+vnz5/qGTMTqsmkMhtoZmFRCpqx6fVVj0gI4Xm+p6eHZdmqqqpgMJi5bLIuEpNBZualCNJ4j3puM1dLIUw1QFHLUmMIIQsLCwzDCIIgiuLg4GB7e/vS0lI8Hm9sbBweHiaELC8vUxTV1dW1vb09MTGxsLAg7ens7FxfX08kEg0NDSzLer3ezc1N6QzR5/NJB+c4bmRkJJVKLS0tPXnyZGlpSdrPqmSG5HK5mpqaZmZmNAOenp5uampyuVzynubm5tHRUeMRQ6FQfX19NBpdX1/3+XyTk5OaeWV+alAU1dbWtrq6+u3btzNnzgSDQfWMGYdqMil1RppZWJSCZmx6fdUjEkK6u7tbWlpWV1djsdi5c+eePXsmt8y6SEwGmXONMV4thTDVAEUte43J/FNhWVa+BIlEIhcuXCD//f2kUqnMLhRFpdNpafPDhw82m006cSOETE1NnT59mhCSSqVomhYEQT3oukrmuzzPh0Ihp9Pp8XgSiYS8P5FIeDwep9MZCoXkOHmeZxhGCs9gRI7jPn36pEhcnZfiU2N1dVXaHBsbq6+vVzfTC1VNs6VmRnpZWJSCZmx6fdUjiqLIMIxcy8fHxy9evEhMLxKTQeZQY7KulgKZaoCito8ak0qlKIqSLyycTifHccTE2eLy8nJFRYXmZnt7e11dXSAQCIfD796921foqVSqtbWVpml5D03Tra2t8seWZGxsrKmpSd7UHDGdTtM0LZ1I6mVBVJ8a5eXl8lvxeFyaDc2O6lBNJqWZkWYWVqegiE2vr7rj5uam3W6XNxOJhHTRYHKRmAwyhxpjZrWQAphqgKK2j+/8BUGw2WwzMzORSCQSiUSj0UgkYr67ppcvX46MjNTW1u7t7QUCgf7+fmn/3yqKjouLi7du3ZqcnBwaGpJ3Dg0NTU5O9vX1LS4uyjsVzwjpjUhRVElJyQHT0aQZqsmWmhlR+llYlIJmbMXOzGqhMNUAB5S1CmWeZzEMo7hFQA52HZMpEolUVVVJr43vlfX29jIMEwgEksmk4iDJZNLv9zMM09vbSwgRRZFlWflGjcGIHMdFIhHzeSnufrx+/Vrz7odBqAp6LRUZGWRhUQqasen1VY9ocK/M5HWMmSBz+z5mX6uFHNFUAxS17NcxLMsKgvD161eKojo7O/v6+ubn57e2th49enTv3r2DlLfPnz9fvXr17du3Ozs7a2trw8PDdXV10lv/qGR25Hk+Fos9fvy4srJScczKysqnT5/GYjHpZxBTU1Mul6umpibriH6/v6enZ25ubmNjo7+///3792ZSCAQCGxsb8/PzwWCwpaVF2pk5YwahKui1VGRkkIVFKRjEptlXoaSkpL293e/3r62tSS1v3LhhJrB9BWmz2dS/hlETRZGmaXnTeLVQhTTVAMXKTCEKBoMOh0N6dtnv91dVVTkcjubmZumML+frmL29vWAw6Ha77XY7x3GdnZ3b29v5KZ3/GRgYGBwclDcNRhRF8fbt2yzLlpeXt7a2yk+j6uUlvX7w4IHiaVSJPGP5Tcc4i8NMQa+v5vWEwbPLmQfUu44xE6QgCOXl5YovydXBvHr1qra2Vm9iFauFFMZUAxQ1UzWmeLnd7o8fP1pxZL1fWhSRg6RwaOmbH8jn8ym+rlcQBKG6ulr6yY4mrBaAvKOzX+kUsy9fvhx1CHBIwuGw8UMoZWVlo6Ojly5d0muA1QKQd0Xzv2QAjJWWlp4/f964jUGBAQAroMYAAIBV/iKEHHUMAADwZ8J1DAAAWAU1BgAArIIaAwAAVkGNAQAAq6DGAACAVVBjAADAKqgxAABgFdQYAACwCmoMAABYBTUGAACs8i9JMcu6xcmUKAAAAABJRU5ErkJggg==) --- **Screenshot:** ![ehssoftserve.com vulnerability](/twimages/screen-1194851.jpg) **Mirror:** [Click here to view the mirror](<http://1194851.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 12 June, 2020 17:41 GMT ---|--- Vulnerability Verified:| 12 June, 2020 17:52 GMT Website Operator Notified:| 12 June, 2020 17:52 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 12 June, 2020 17:52 GMT