logo
DATABASE RESOURCES PRICING ABOUT US

subastacar.com Cross Site Scripting vulnerability OBB-1194997

Description

Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[subastacar.com](<https://subastacar.com>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[XSS (Cross Site Scripting)](<https://www.owasp.org/index.php/Cross-site_Scripting_\(XSS\)>)** / CWE-79 CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **Tanzil ** Remediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAS1ElEQVR4nO2dfUxT1/vA72rtarkg1BaBVi1sq4QZRpxjuqlxapxxxnSbInNMUQlDwpQQtiEjjjGHjC8SbQzzj7k4YpxZjEFiiHOMmYY1viC7dg3DrjpkWBhW3ixYa/H+/jjZ+d3dt75Arduez18995zznOc857nnuff03nOfoGmaAAAAAIAQIAm3AgAAAMC/FogxAAAAQKiAGAMAAACECogxAAAAQKiAGAMAAACECogxAAAAQKh4fGNMYmLi1atXhZJA0IAlgUkE3AkQ5zGNMb/88svDhw+fe+453iQQNGBJYBIBdwJ84iPG3Lx5MzIykjdreHh43759QskJ0tjYuG7dOqGkn4goHxCT27XwgiwZqGVu3rwZExMTCn2CGKPBwcGtW7eq1WqNRvPhhx8+ePAgjMr4yd27d+Pj469du8ZqCBs2iKZDp63/hPfEDJ1bTiL/ptkjOIK/jxkaGqqsrBRKTpBJiTGTxeR2LbwgS86ZM8fpdIZblyDJzs72eDwURbW0tJjN5j179kyW5NCZxWg0ZmVlzZ07NxTCw0h4T8x/BP+m2SM4pOFWgIfe3l6bzbZs2TLeJBA0TEs++eST4VYnGO7du9fe3t7Z2RkREUEQRG1t7aZNmybxOjEUZrl79+6JEyfMZjM+IpVK9Xo9749/EHBiAv7g133MwYMHExMTZ8yY8c477wwPDxMEMTw8rNPpXC7XE0888fXXXzOTtbW1kZGR//vf/2bOnBkTE7Nly5Z79+4hOZcvX16yZElkZKRGo3nzzTd//fVX3uYaGxtXrVo1depUbpJXAuvWm3UH/fnnn/NqsmjRomnTpqnV6g0bNty6dUtIQ1ZPheqOj4/v3r175syZERERGzZsuHPnjlBDSNt9+/ap1er4+PgjR46wui8kanR09N1331Wr1bNmzfrkk0/Gx8eRqP379ycmJkZERGzcuPHOnTvvv/++Wq2eMWPG1q1bR0dHeQ3LXKvBEmJiYt5++200vgRB3Lp169VXX42MjJw7d+7x48exkPv372/fvj0yMnLOnDkff/zx+Pg4QRC///57RETEzz//TBDEnTt3YmJifvzxR2bTqCFer+B1MKHy06ZN++OPP1CAIQjCbrcnJCSICBca6N7e3tdeey0yMjIxMXH//v3cBSsRywjJFOLQoUPFxcVMF9VoNFeuXEE/Ll68yDwSNN99953/Bbh+vnHjxs8++wwXWLRoEfJ2XkMhmCemuHOyDMiCWxcrybWzkFvyIuQYvOfgRM4voYa4s8d/EN8xxuVyURRlNpsvXbrkcDhKSkoIgpg+fXpnZydJkm63Oysri5l8/fXXXS7XpUuX2tra2tra2tvbq6urkai1a9dmZ2d3d3e3trYuXrxYLpfztiiyUOanBKbybX/B1KS9vT03N7evr89qtWq12oKCAiH5rJ4K1a2urm5ubm5ubrbZbAkJCR0dHSINuVyuzs5Oq9V69OjRxYsXs3QWErVz506Hw9He3n727NnGxsa6ujo8Oq2trRRFORyO5ORkp9NpsVguXLjQ1dVVWloqYlhsIovFgsa3u7sbVykoKIiKiuro6GhqamKezBUVFWNjYxaL5ezZsyaT6fDhwwRBJCYmlpaWFhYWEgSxZ8+eNWvWvPLKK9yGeL2C18FEymOuXbtWXFxcU1MjUlhooAsKCmQymd1ub25urq+v53qOiGWEZKo5EAQxOjpaW1tbUVGh0Wg++ugjPIFOOtnZ2StWrOANVJcvX16xYkV2djY+wvXzjIyMhoYGlNvb20tRlMFgIEQNxXQnIefkNSAL3rqEgJ2F3JLX+ISo17HOwQmeX7wNcWeP/yK0KF1dXQRBjIyMoKTZbE5KSsJZJEkyS6IkqtLd3Y2Onzp1asGCBTRNDwwMSKVSt9vNbaW7u1un06HfLpeLJMmBgQFuUkgCV5Po6GgRTVjY7fa4uDj/5fPWjY2NbW9v5y3DKoy0wh3kwivK6/WSJHnjxg2UbGxsXLhwIRI1NDSEDra2tkokkrGxMZQ0m81PP/00lsC0JGuw8Pi2trai8fV6vXK5nGk6ZFKaplUqlcvlQr8pikpPT0e/PR5PcnJyeXm5SqXq6+tj6S80FkIO5nPsenp6kpKSTpw44U9hBB4s1DtsTNw75kALWUZIJlKJBU3TNTU1BoPB6XTa7fZ58+YZjUaukOBguaXL5aqsrFQqlRkZGTabDR202WwZGRlKpbKyshKPGq+fj42NRUVFIRvW1dWtW7eOFjYU/Xd3EnFOXgMyNeety+0ssrOIW/IaX9zrmOfgBM8vEQ8UmT3+I/iOMbzTN28Wnrbkcjk+3tHRERsbi35nZmampaUVFRXV1NScP38el/F6vQ6HA/0+derU8uXLcRYryStBJMYIadLe3r5y5cqEhASVSqVUKnGn/JHPrTs0NCSVSr1eL9eA3MLiPickyuFwyGQynLTZbChcCY0ON8m0JHOweCU4HA6W6dDxgYEBgiBUf6FUKrFJaZpubm4mCIJ3GhUaiyDGDrFw4ULcUKADzTIm7h0rxgjZVsh5eNHr9XjqaWxs5A1+LFQMRA7yOtLAwIDBYJBKpSgplUoNBgOeJTG8fp6ZmYlMunLlymPHjtHChqL/7k6BOiczi7cu+s21s5BbCuGn1wXRBW6PhDwQYswjfT/mm2+++fLLL1NTUz0eT1FR0XvvvYeOT5kyJT4+Hv0Wf6JMSEKgGAyGpUuXmkwmiqKampoCki9Ud8qUKf4XFodX1ASZlEeA3G63RCJpa2ujKIqiKIvFQlEUzu3r65NIJH19fRNsxSe9vb0Wi8Wf0Q/O/sHJ5C7XDA4O3rhxY9asWaiAXq93OBw+5VMMxA+yuH79ekFBgclkqqioQEcqKipMJlN+fv7169eZJXn9HC2XDQ4OXrp0yaerPIInygIaO6G1MiD8iIeg4O5jCMZtY0NDA++1G0VRWq2WddDr9apUKnzHykoKSRgZGZFIJMy7ct61MqxJf38/vtBDcnivhrB8Zk+F6sbGxlIUxZLAW9jndQ2vKKF7eT+vs1iW9Hkfw1qUaGhowKJIkuRdFRwaGoqLiztx4oRSqezo6GDlCo2Fn+ucLC/yer1Mrwh0oFHvurq60HGhtTJexUSch7tcg0IyVrWhoYF3IWhSyMvLI0myqKjI6XQyjzudzsLCQpIk8/LyeCtiP3e73Uql8sCBA2+88QbKEjIU9zwNyDn9WSvjtbOIW/qzVibkdUF0gdsjIXeF+5jgY4zL5ZJKpXjlFyeRudevX9/T02O1WtPS0srLy2ma7ujoWL16dUtLi9Pp7O7uzsnJWbt2LZaMVodNJtO8efPwQVZSREJ6enpOTk5fX5/NZlu8eDFznuJqQtN0bGxsXV3d0NCQzWYzGAyovJB8Vk9561ZWVqanp1sslp6eHnQtKVRYyOfw+riQqJycnHXr1nV3d1ut1vnz5xuNRv/PAZYlfcYYmqYNBgPTdPh4Xl7ewoULrVarw+Gorq6uqKhAx/Pz8zMyMmia3rt377Jly1idEhoL8RjDO3YsyUEMNE3T69evNxgMXV1dVqs1NTU1oLUyIZm8GAyG1atXd3V1WSyWlJSUr776SqRwoDCNkJWVhYMBl66urqysLPRb5DzatGlTVFTUt99+iyvyGorlTnSAzjkyMiKVSjs7O9GaMLcuKsZrZyG3FOq1P14XRBdovhjD64Gs2eM/SPAxhqbp8vJyhUJx9OhRZnL//v0kSVZVVcXGxkZHR2/evBn9S+bxeMrLy/V6vUwmi42NzcrKwv8M41aKi4tLS0uxfFZSRILdbl++fDlJkikpKUajkTllVFdXszShadpkMi1YsEAul8fFxRUVFaHyIvKZPeWt6/V6P/jgA5VKJZfL0X+8Qg3x+jfryo5XlMvlys3NValUWq22vLzc6/X6fw6wLOlPjOnp6Vm1ahVJknq9vqamBh93u92FhYVarVahUKxZswZd+rW1tZEkia7j3G63Tqerr6/nTtlcrxCJMbzlhXoqVJh3sGia7uvrW7t2LUmSOp2uqqoqoBgjJJMXp9O5adMmpVI5e/bsqqoqkZKBEvQFsoifNzQ0kCTJNDWvoVjuRAfunCUlJfiE4tZFZXjtLOSWIiby6XXBdYF7Zybkrqx58r+GjxgTBBO5N9Tr9RcuXBBKAkETdksG6hUBlZ/gckRnZyfrgQKAF2yosLuTnzyydSpYEBPh8XrPH2/oxJsEggYsKQJFUUlJSeHW4h8ANhS4E+A/vp8ru3r16o4dO1gHYUPv8JKYmHjlypW33nrrzz//DLcu/0g+/fTTI0eO3L59++LFi6WlpXl5eeHW6DEFDAVMEN8xJjs7W6fTMY/Aht7hBdn/+eefl8lkxcXF4VbnH8myZcvq6uq0Wm1WVtbOnTu3bNkSbo0eU8BQwEQRX0pzOp0SiYT1SvDevXsLCgrQb6PRmJSUJJPJ0tLSmpqacBn0oAVCIpHodLqKigr8bx4zF3PgwAGUJZFI8MNUuDzrEQ6MVqstKSnxeDw036oo6286o9Go0+kUCkV6enpzczOrpJBYnz0VadRnd3gHhSRJ5uO/x44d0+v12HrY/u3t7fiFNQAAgMeQwJ4rQ6Snp587d47+a8pubm7u7+8/fvy4UqnEkymq6Ha73W732NgY2nQEP+fKzMWgORTN9UlJSXjrC5rvEQ4s2Wq1vvTSS2VlZbzaMiuiIIEe2Tx58qRKpWptbWX1lFesPz0VatRnd1CLnZ2d0dHR2BSFhYWbN2/G5VNTU5kPpWD7wz+NAAA85gQcYxwOR3R0NLrAT0hIaGlpwVkHDhzAD9pzK7a2tqakpAjlMltUKBTz589nvjIm9AIXwmw2Jycn82YxK7K0PXz4MPMFHRGxgfaUpa14d3iPOBwOkiTR6w5NTU1JSUn4JoZpf4gxAAA85gS8lwze0Ht4eNjhcDC3DV66dCneJJiLXC73er3+NCGRSOrr648ePfr999/7U14mk3k8HvEyXG23bdt26NAhf8QG2lMWgXaHIIj4+Pjs7Gy0dWtVVVVJSQneXYb14QMmPnd3BwAAeMQEE2PQPkUul0sulzMnu6ioqJGREd5at2/fLisrQ7uF+8Ozzz5bXl6+bds2oW9OYAYHB/fs2ZOTkyNejKvt1KlT58yZ44/YgHrKi//dwZSUlBw/fvz06dNdXV3MXdlF9okS2d0dAAAgLAQWY0ZHR00m05o1awiC8Hq9UunfXq+RSCTMOxWXy4U2p5sxY8bs2bPR3/7cXAR3f8Pi4mKtVrtz506uGkzJKpXq4cOHu3fvFtecqS36ypBarX7qqaf8Eeuzp/4g0h1eNBpNZmZmZmZmSUkJDm9M+3Ox2+0rV65ctWrVxo0bf/vtt4DUAwAACAWBxZhz586lp6ejb+GhLeiZuQ8fPmTOxQqFAm0Ta7VaXS7XF198wfyQLc5FMMMPYsqUKfX19SdPnjx9+jQrC9e1WCznz5/v7+8/ePCguOZMbcvKyiiKOnPmDNqp3qdYnz31B5HuCJGfn08QxLZt2/ARpv25RERE7N692263ezyelJSUgNQDAAAIBYHFGOZCDXoK68GDBzh3ZGQkKirq/0VLJBqNRqPRxMfHczerx7kI3nnzmWeeqayszM3NdTqdQnWXLFliNBrRR+sUCoXb7WZ+atDlcikUCpa206dP12g0MpkMZfkUK95TkUb97I4QUVFRUqmUGZh9bqjO3d0dAAAgjAQQY8bHx8+cOYPnuOnTpyckJLS2tuIC6MmxydVv165dKSkp+HO2vOD7DLVarVQqL1y4gLNMJlNqairW1mw246yWlhaU5VOseE9FGg2uO0Kw7M9lx44daWlpcXFxNpvN5+IhAADAo0D8sbPu7m78fTfuht74rRGn04k+HCLy1ggT8fdjWBVv3LhBkiTv+zFut7ujo2Pp0qX5+fko99ChQ3q93mQyoZdglEolfgkGvx/T399/7NgxpVJpNpuFVGKJFempeKM+u4OLcXeQZdXl2t9utzNrie/uDgAA8OjxEWPcbrdcLkcfP+Bu6E0H8vY7E/H3/LkVDx8+LPSef2xsbG5uLv5AGU3TtbW1Op1OJpPNmzfv1KlTLG1R1vz585nvu/gjVqin4o367A4u5jPGcO1/8uTJ1NRUGgAA4HHlCVpgOxPMrl27rFbrDz/8MHfu3Pr6+hdffHGCd05AcLDsf//+/eTk5LKysu3bt4dXMQAAACF8x5gHDx5QFPXCCy88GoUA//npp59efvnlcGsBAAAgiO8YAwAAAADBEfB7/gAAAADgJxBjAAAAgFABMQYAAAAIFRBjAAAAgFABMQYAAAAIFRBjAAAAgFABMQYAAAAIFRBjAAAAgFABMQYAAAAIFRBjAAAAgFABMQYAAAAIFRBjAAAAgFABMQYAAAAIFRBjAAAAgFABMQYAAAAIFRBjAAAAgFABMQYAAAAIFf8Hc+B7pvNTGdEAAAAASUVORK5CYII=) --- **Screenshot:** ![subastacar.com vulnerability](/twimages/screen-1194997.jpg) **Mirror:** [Click here to view the mirror](<http://1194997.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 12 June, 2020 22:42 GMT ---|--- Vulnerability Verified:| 12 June, 2020 22:56 GMT Website Operator Notified:| 12 June, 2020 22:56 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 12 June, 2020 22:56 GMT Vulnerability Fixed:| 10 July, 2020 17:46 GMT ---|---