Lucene search

K
openbugbountyXav0OBB:1195578
HistoryJun 13, 2020 - 11:10 a.m.

pixelatingbits.com Cross Site Scripting vulnerability OBB-1195578

2020-06-1311:10:00
xav0
www.openbugbounty.org
7

Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:

&nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence;
&nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence.

Affected Website: pixelatingbits.com
Open Bug Bounty Program: Create your bounty program now. It’s open and free.
Vulnerable Application: Custom Code
Vulnerability Type: XSS (Cross Site Scripting) / CWE-79
CVSSv3 Score: 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N]
Disclosure Standard: Coordinated Disclosure based on ISO 29147 guidelines
Discovered and Reported by: xav0
Remediation Guide: OWASP XSS Prevention Cheat Sheet
Export Vulnerability Data: Bugzilla Vulnerability Data
JIRA Vulnerability Data [ Configuration ]
Mantis Vulnerability Data
Splunk Vulnerability Data
XML Vulnerability Data [ XSD ]

Vulnerable URL:

![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAOuklEQVR4nO2df0wb5R/HT1ZYt16ztbRdB0xaQthiSCWzIkZcGlyMTkIaZbjNOpgukxFHmjpxoIkVJ5sIJOpCjGHLnEvcHwtZiDG6EKd1IQ4RO1a7WjsspZSqUMvsXMeK9/3jkst977m7Hv3BD/m8/upzfe6e9/tzn+vn7rnjuIcgCAwAAAAA0kDGYgsAAAAA/rNAjQEAAADSBdQYAAAAIF1AjQEAAADSBdQYAAAAIF1AjQEAAADSxZKoMVqt9urVq1xNIN2szICvTNcrh6tXrx48eJCnw927d3fv3v37778vmKSVyeLXmGvXrv3777/3338/axNINysz4CvT9Yqirq5Oo9HwdMjMzMzKyjp8+PBCKVqhxKkxY2NjUqmU9auZmZljx45xNYXT19dXVVXF1RSuhweBa9EtJDYQ/7r05QmHK+VQAf/rr7/27dunVCpzc3Nfe+21u3fvLrCSecU8mR2ExUuz1GqIu6+p7YyNjclksiRVzRchLpZOuvJAFzk9PT0yMmI2m6lv79y5s3v3boZTs9nc39+/oCpXIAQvXq8Xx3EhX/H05Ke0tPTixYtcTZRoNDrfIQRqY3RLYKC4w1HbTDhcKYcKeFVV1Z49e/x+v8vlKi8vP3LkyAIrmVdMkgxg3DQTiJAkiSuV6uD1etevX5+8qvkS18XSSVce6CLRY9lgMFRXVzNcLAtfy51FniubnJx0u90Gg4G1ycrq1asXQFiaBlow8QKhAn779u3h4eGPP/44Nzd38+bNXV1d58+fX2x1fIhEoqKiosTWFZJmAknJDqW8JGMqGZZaWqacYDC4ffv2jo6OxRayEhFUY95//32tVpudnf3888/PzMxgGDYzM6PRaCKRyD333PPJJ5/Qm11dXVKp9L333tuwYYNMJqutrb19+zbXlvv6+h5//PHMzExGk7x+RzdCXdf/9ttvEonkp59+wjBsenpaJpNdunQJw7A7d+68+OKLUqk0Pz//zTffnJubQwf94YcfHn744TVr1iiVyp07d05MTKCO6NMXUqm0s7NTq9XKZLLnnnuOjADJ5OTkU089JZVKtVptZ2cnfaLj3Xff5RLPGIuU9Oijj0ql0tzc3Geeeeb69esMzXNzc83NzRs2bJBIJDt37pyensYw7NatWy+99JJSqdy0adNbb71FmqULlkgkzz777PT09KuvvqpUKrOzs/ft23fr1i00/mvWrBkfH5dIJORyj8eTk5PDI4w1zqyBJfUcO3ZMqVRu3Ljx5MmTXHa4ko2V3NzcH3/8kWp+9dVXXD3RDoysY/WIKkSN0GeZuDIW3deoVMpLbm7ulStXBDqi9xFoAWPbHYxUT8wC/wHL2PvJ5K1wkXTy8/Nff/31uPFEAwukAP7LHK/Xi2FYXV1dIBDweDwVFRX19fXkVy6XC8fxaDQai8XozdHRUQzDqqurfT6fx+MpLi62Wq1c29+xY8fZs2fRJjkuuhH6te3Ro0e3bdtGEERDQ8OePXvIhS0tLbt27RodHXU6nQaD4cSJEwRyRfzRRx+dOnUqHA4Hg0Gz2Ww0GlFH9OkLDMP27t0bCATcbnd5eXlDQwO1qaefftpoNAaDQY/Ho9PpyIkOIeIZ0VOpVD09PaFQaHR0tKura3R0lBGotrY2vV4/MjLi9/sbGxttNhtBEC+88EJlZaXP53M4HFu3bv3ggw+o0U0mk9/vJwUrFApyD5In742NjVzxp7Tl5OQMDg7yCGONM2tgqQAGg8Evv/zS5XJx2eFJNgUCQ7Nara6oqBgaGkJzbHBwsKKiQq1Wc7lm9YgqRI0wJme40p6xr3mkCnSEmhJogXV3MFI9MQs8OY/u/WTyVqBI1kkwdCG6BM0WIEkE1ZibN2+SzYGBgYKCAuor1vsx5Co+n49c3tvbq9fryc8+n0+j0VCrRCIRHMdDoRDa5NoIfdDZ2dktW7ZYrVaFQhEMBsmFCoUiEomQn+12e2lpKSqVjsfjofKJdT6XEYHLly9TEYjFYmKxmPrZ7e3tpdcYfvH0z6FQSCQS8c+Jq1Sq4eFh+pJYLIbjODV6X19fWVkZNXo4HKYEZ2Rk/PPPP2RzYGCgsLAQDTiF3+8vKCg4d+4cvzDWONOhAkvqYYyC2iF4k82PwFg3Eom0tbXJ5fKamhq3200udLvdNTU1crm8ra2NUstwzeURVYgaQWsMa9oz0o9VKgpXN9SUcAv8LpKxwJPzjOGSzFuBIhOoMazZAiTP/O750+9J8tQYsVhMLXc6nSqVivwci8UCgQD1VW9vb0VFBWuTayOMQclnQsjzIIIgQqEQhmHUqa5cLmdda3h4ePv27Tk5OWQfVkd0O1wRCAQCWVlZdJFUjYkrnrHZXbt2lZSUWCyWjo6Ob775hvh/wuGwSCQiTyEpGKO73W7qN51LMKPJiD9JWVkZFU8uYVxxZg0semCz2omrXAihUMhoNIpEIrIpEomMRiP1s8XlGvXIqpD/F4on7Vl/7xhSBTriMiXQAr+LZCwIPGCJpPNWoMgEagxrYIHkWdB7/qtWrdq4cSPVnNdTy6wEg8GMjIxgMEg2o9FoRkbG0NCQ3W632+0jIyN2ux1dy2g0btu2zWaz2e32L774IiErKeazzz7r6enR6XSzs7MWi+XQoUNon1WrVqV2UDTgk5OTIyMj9NFZhXHFeV6BnZcdJQLa58aNGy+//LLNZmttbSWXtLa22my2hoaGGzdu8LjmCn7KA84jVXg3VlNL1sIygjWwQArgL0GJXcdgtIvZCxcuUBezdGKxmEKhoC6ZGU2ujdAHDYfDarX63Llzcrnc6XSSC3EcZ50foNb6448/6GeFdrs94esYcq7M6/WSTa65MlbxPNN3drs9Ly+PsVClUtntdkYAueYchJwPMgJObRO9FcQqDI0zV2BZnaJ2+JXHnSurr6/HcdxisUxNTdGXT01Nmc1mHMfJWzusrlk9ogrjXsdwpT1jRS6pAh2hpoRb4HeRjAUhOU+SZN4KFJnY/Rj+wAKJkXiNiUQiIpGImimmmtRNOb/f73A4SkpK6Pf8qVljm81WXFxMLWc0uTZC19PQ0FBTU0MQxNGjRw0GA7mwvr6+rKzM4XAEAoH29vbW1laCIG7evCkSiVwuF3WDvbu7OxwOu91uo9HI6khIjSEIorq62mg0er1eh8OB3vPnEU8fy+l0PvHEE19//fXU1JTP59u/f39lZSXx/3+10NbWVlpaSt6/Jc8fCYLYv39/VVUVeu9UyLHKCDi6g3iEccWZNbCsRzurnWTmykwmE1XsUbxer8lkYnXN5RFVKKTGsKY940jhlyrQEd2UcAsE7+9sMhaE5DxFMnkrUKTP56NPqTGcUng8HjTHqMACKSHxGkMQhNVqXbt27enTp+nNzs5OHMePHz+uUqnWr1+/d+9e6sYdfWuHDx9uaWmhNsVokj3RjVBbGBoawnGcPJ2JRqMajebMmTPkZ7PZnJeXt3bt2h07dlCnS0eOHKGk2mw2vV4vFovVarXFYmF1JLDGBIPByspKHMc1Gs3x48fpv6rt7e1c4hljzc7OWq3WoqKirKwslUplMpmCwSCjcywWa2pqUigUYrHYaDSS54+RSOTAgQMKhSIvL89qtZIVVOCxygg4a2dWYeRXrHFmDSzrrwyrneTvx8QFdc3lEVUYt8ZwpT2BHCmpRbgFIl6NSdhC3AOWTjJ5K1BkNBoVi8WMRypQMefPn9fpdPFDDCRBnBqTADyzQHSKioq+//57rqbAjSwpXC4Xdftx6cMI+Aohfa6XY8YySMbCgtkXPlBjYyP6SAsd8ty0p6cnRdIAdkQLc9cH5ZdffuFpLkfsdntBQcFiqxDKfyDgCbAyXa9MOjo6WB/5oVi9evXZs2cfeeSRBZO0MpnHc2XwLnSUt99+++TJk3/++eeVK1daWlrq6+sXWxEAABiGYZmZmQ8++CB/HygwC4DQGgPvQmfFYDB0d3fn5eWZTKbGxsba2trFVgQAALCEuIcgCCH93nnnnWAw+OGHHyY80tjYWHFx8d9//83fbWZmpru7u7m5OeGBAAAAgCWC0OuY5P/fRn5+/tTUVNxu4XC4ra0tmYEAAACAJYKgGpOqd6H/518hDgAAANARVGPo70Jf9BehAwAAAMsFoTWGmiirrKysq6vz+XyXL18uLy8Xi8UYhrW3t/f39/f397vd7pycHKfTiWFYJBJxuVwOh+P06dPl5eWMbUYikcHBwaGhoaGhoeHh4fb2dgzD1q1bR72g22QyYRhWV1f32GOP0f9TCAAAALBsiPsXNPR3oS/ZF6EDAAAAS5D41zEXL14sLS0l/8OjTCarrq4uKyt75ZVXOjs7v/32WwzDZmZmQqGQTqdjrIjjOP3/QjIQi8WbNm0iP2/ZssXn87F2k0gkzc3NHo9ndnb2vvvuE1A0AQAAgKVC/BrDeKIM3iIOAAAACCROjZmbm/v8888ZTy0/8MADtbW1zc3Np06dunDhwrp16+Ry+XxfARCNRsfHx8nPbrf73nvvZe128ODBkpIStVrtdrvhj2YAAACWF3FqzMDAgFqt1mq1ZPP69etPPvnkpUuXpqenx8fHT5w4UVJSgmGY2Ww+cODAtWvXJiYmDh069N133wkZ22KxTExM/Pzzz1artbKyklyoUCii0eivv/5KNiORiMPh6OzszM7OTtAiAAAAsEjEqTGMibLCwsKysrL6+vqcnBy9Xh+NRnt6ejAMa2pqMhgMFRUVhYWFfr9fyI0THMf1ev3WrVvLy8t1Ol1TUxO5XCKRvPHGGyUlJeSzy59++ml+fn7i/gAAAIDFI867ZDZv3nzmzJmHHnootaMKfK8MAAAAsKyJ825/eBc6AAAAkDDzeLc/AAAAAMwLqDEAAABAuhD6bn8AAAAAmC9wHQMAAACkC6gxAAAAQLqAGgMAAACkC6gxAAAAQLqAGgMAAACkC6gxAAAAQLqAGgMAAACkC6gxAAAAQLqAGgMAAACkC6gxAAAAQLqAGgMAAACkC6gxAAAAQLqAGgMAAACkC6gxAAAAQLqAGgMAAACki/8BPCP1pbuabJoAAAAASUVORK5CYII=)

Screenshot: pixelatingbits.com  vulnerability

Mirror: Click here to view the mirror

Coordinated Disclosure Timeline

Vulnerability Reported: 13 June, 2020 11:10 GMT
Vulnerability Verified: 13 June, 2020 11:22 GMT
Website Operator Notified: 13 June, 2020 11:22 GMT
a. Using the ISO 29147 guidelines
β€” β€”
b. Using publicly available security contacts
c. Using Open Bug Bounty notification framework
d. Using security contacts provided by the researcher
Public Report Published
[without any technical details]: 13 June, 2020 11:22 GMT