logo
DATABASE RESOURCES PRICING ABOUT US

rescuemycar.com Cross Site Scripting vulnerability OBB-1195937

Description

Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[rescuemycar.com](<https://www.rescuemycar.com>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[XSS (Cross Site Scripting)](<https://www.owasp.org/index.php/Cross-site_Scripting_\(XSS\)>)** / CWE-79 CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **xav0 ** Remediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAJ9UlEQVR4nO2cb0hT/xfHb2t+m3rnH9T5p0nOaomISciwMAoJFRGZ/wrM0ki0ByIhKWVg5gMtzSIr8UlgT+pJhIiIyOjBkCFmNm2YDREdc4lMc3Y1G3P3++DD73J/989n68+q7zyvRzt3n8+57885x3vY2XAPTdMEAAAAAPgAyZ8WAAAAAPgt0GMAAAAAXwE9BgAAAPAV0GMAAAAAXwE9BgAAAPAV0GMAAAAAX/H39hiVSjU1NSVmAn4DZJYBQgH4H39pj3n//r3b7T569KigCfgNkFkGCAXgl3joMYuLi3K5XPAth8PR3t4uZv4kAwMDBQUFYibgN/zyzP7aOhRkcXExPDycwP51/ABQ5IBf8uOfY9bX19va2sTMnwR6zC7hl2f219bh7wSKHPBL/sZZ2adPn8xm8+nTpwVNwG+AzDJAKAB/xase8/DhQ5VKFRERceHCBYfDQRCEw+FISEigKGrPnj3Pnj1jm/fv35fL5Z2dndHR0eHh4RUVFV+/fkV+3rx5c/LkSblcvn///uLi4g8fPgjebmBgIDs7OyAggGMWFhZ2dnaii1NTU/v27UNiCIKoqalpaGjALzh8+DB+O1sDGoO0t7dHRUXFxsY+ffqUIIhv375dvnxZLpcfOHDg1q1bOzs7mEPt7OzcuHEjOjo6ODi4tLR0dXWVM1phRi4IvnO0vqurS6VSBQcHnzt3bnV1taGhISoqKiIi4tKlS5ubmwRBPHnyJCcnh/Fz8+bNiooKQQFI7fHjxwMDA6OiokpLS5eWlsQOy0bQ1ebmZk1NTVRUVHx8/O3bt1E0vNTMT/TS0lJOTk5wcPDBgwcfPHggOIziRIwvgFOWYikTjANbeXh4+Pnz55nyYOTJ5fIjR448f/6cHZy7d+9ySl1MtlimCF7NA4Df4LnHUBRlNBoNBsP4+LjNZrt+/TpBEKGhobOzsyRJbm9vl5eXs83CwkKKosbHxycmJiYmJiYnJzs6OpCr/Pz8yspKi8UyOjqamZkpk8kE7yg2KMvPz9fpdOji4OCg2+0eHh5Gpk6ny8vLwy/QarX47fyDz87Omkymvr6+zMxMgiBaW1u3tramp6eHh4f1en1vby/mUB0dHTqdTqfTmc3muLi4mZkZfJwFnaPgj46OGo1Gm82WlJRkt9unp6fHxsYWFhaampoIgtBqtXq9/suXL0y4ioqKxARMTk5WV1cvLy+bTCalUllbWyt2WDaCrurq6mw22+Tk5PDw8MDAQE9PD+PKo2Z+omtra0NCQmZnZ0dGRvr6+vCxQvAFcMpSLKpicaAoanp6GpW6xWJhS0XyZmZmhoaG2D2GoqiJ/8EudUHEMkXAoAzwY2gsCwsLBEFsbGwg02AwJCYmMm+RJMleiUy0xWKxoOuvXr1KT0+naXptbU0qlW5vb/PvYrFYEhIS0GuKokiSXFtb45s2my0oKAh50Gg09fX1ZWVl6I4hISFOpxO/wGKx4LfzD87IQERGRlIUhV4bjUaNRoM5lEKhmJyc5PjkRCwsLAzjHGlYX19HF0dHRyUSydbWFpOLQ4cOodcZGRkvX75kboH08AVwmJubi4mJETss/iwul4skyfn5eWQODAxkZGQwrrzRzM6sy+WSyWTsmkGRwUQMI4C9hR9VsThwSn10dJQpdYw8wVLHyBbMFKfmAcCfkHpsQiRJMh/84+Li1tbWPG6RyWTx8fHodVJSksViIQgiPDy8pKQkIyMjKysrLi4uPT391KlTjFuDwYBej4yMaDQaZiTCNmNjY9VqtcFgSE5Ottlszc3NarV6Z2dHp9OdOXMmICAAvyA+Ph6/nX9w9mTm8+fPdrs9ISEBmW63WyqVih3K4XCsra2lpqZ6jBXGOdIQGhqKLiqVypCQkMDAQCZodrsdvdZqtYODg8XFxYODg3l5eWgMKCjg3bt3jY2NMzMzTqfT7Xa73W7Bw7IRdLWysuJ0OlUqFTKTkpLQA9d7zezMrqysEATBrhmPEcMIYBCLqlgc2KWuVCqZUsfIEyx1DPxMEbyaBwB/wnOP+YW8ePHi7du3JpPJZrPV19efOHHi0aNHBEHs3bs3NjYWrcH/oiwvL0+n083Pz+fn54eGhqalpen1evakC7/A43YM29vbEolkYmKCeU5JJBLModC5vIyMoHOn0+nl9qKiIjTgGhwcrKysZK7zBWi12qqqqt7eXplMZrVac3NzvbyF92fxkt8wHRJLGfETcfhJBDMFgzLAn8F/zMF86vdyVtbf348GCByMRqNSqeRcdLlckZGRzACEY9I0bTAYNBpNQUHB0NAQTdM9PT11dXUxMTE2m82bBR63ix0cQZIkfvrEPpRCoTAajex3NzY2JBIJexrDnpXxneNnaxwzJSVFp9OFhYUx/vkCVlZWpFIpW63gSIoP35WXoyoxzfxEs4dR/f39aBkmYl4KEEyZYBzwczlBeWKljk80J1P8IgcAf+LHewxFUVKp1Gw2c0z0h1dSUmK1Wk0mU1paWktLC03TMzMzubm5r1+/ttvtFoulqqoqPz+f8YwG03q9PiUlhbnIMREKhUKhUKD1Vqs1JCQkLS3N+wX4d5lvVgQfu1euXMnIyEAfWTo6OlpbWzGHamtr02g009PTVqu1trZWr9fTNK3RaKqqqpaXl81mc2ZmJvvRw3f+XT2mubk5NTWVHVJBAQqFoqenZ3193Ww2a7VaTI9hf8kk6KqqqqqgoMBisZhMpmPHjnV3d/NdiWnmZ1ar1bJrhtmFiZigAE5Z8qOKrvPjgFcuKE+s1PGyOZkSLHIA8Bt+vMfQNN3S0hIUFNTX18c2u7q6SJK8c+eOQqEICwu7ePEi+srX6XS2tLSo1ep//vlHoVCUl5cvLy9z7nLt2rWmpibGP8dElJWVlZSUMGZ6ejpnDX4B5l32YcUeu1evXlUqlUFBQXl5efPz85hDuVyuxsbGyMhImUym1WrtdjtN03Nzc1lZWSRJJicnd3d3s4PJd/5dPcZoNBIEweRCTIBer09PT5fJZDExMfX19WI9hnNF0BVFUdXV1ZGRkUqlsqWlxeVy8TeKaeZn1mq1ZmdnBwUFJSYm3rt3j9mFiZigAPr/y5IfVbSGHwe8ciSPJEm1Ws3IQ1s6Ojo4pY6XzcmUYJEDgN/gocf8AB4HLxjUavXY2JiYCWCgKEomk/1XfpuEzyzn+e5ncDIFRQ74N7/1O3+PfPz4EWMCGEZGRjIzM/8rv03azZnlZGo3hwLYDfyN/0sG+F4cDsfjx4/Pnj37p4UAHoBMAbsN6DH+APN9wJ8WAngAMgXsNvbQNP2nNQAAAAD+CXyOAQAAAHwF9BgAAADAV0CPAQAAAHwF9BgAAADAV0CPAQAAAHwF9BgAAADAV0CPAQAAAHwF9BgAAADAV0CPAQAAAHwF9BgAAADAV/wLJlcbSwza//8AAAAASUVORK5CYII=) --- HTTP POST data: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAI80lEQVR4nO2dX0hTbxjHl00d4wQ2zu8wZMSS8EpMYomQxBAvQkQOMobGMBEJkxpjSIQXMgyWyOgiQryQ6ELoJiS8CImIGBIhIkcbw8Ycc4y1Yo0VI042en8XLxwO59+OZ+eo1fO5cu/e932e77Nn53nP+57VKYSQCQAAAAAMoO64HQAAAAD+WqDGAAAAAEYBNQYAAAAwCqgxAAAAgFFAjQEAAACMAmoMAAAAYBRQY4zi/Pnz29vbx+0FYAjb29u3bt1S6PDr16/h4eHPnz+rnBCyBfhbgRpjCB8+fPj9+/fFixeP2xHAEEZHR51Op0KH+vr6hoaGqakpNbNBtgB/McbWmP39/TNnzij3+fbt24MHDzRMzh+oxpB6ap9tdXV1YGDgCNyoGj1ukv39/bNnz9bo0mExNAGOEr6TX79+3dnZCQQC3Ls/f/4cHh4WKA0EAq9fv1Yz+cnJFgDQH2QwLMsqd0in0wRBaJhZMLCqIc0za6Czs/PVq1e1e1J79LgO6XS6qampdpcOi3EJcJTwnRQnntvt9ng8AhXqdZ2cbAEA3TF8r6yxsdFoE7obMpvNra2tmod/+vQpkUi43e7aPaldFKelRlGaObIEOC7y+Xxvb28kEtE2/ERlCwDoj3IJwgufcDhMkqTdbl9aWkIIsSw7NjZGEMS5c+dmZmYqlQpCKJfL9fX1EQThdDojkQheMgvWTRsbG93d3QRBNDc3Dw4OxuPxUqnEefL06VNJcxsbG11dXRaLhSRJj8eTzWYRQpIDsZVyuXzz5k2SJB0ORygUwu7hDpFIxOl0NjU1Xb9+vVQqqazDa2trh+qwuLjo9XrlJCOEKpXKvXv3KIqyWq0ej6dQKEgK59+CEAQxPz9PUVRTU9PIyMiPHz/EQVDjqkpF/D4qJSCpbNFLgtxwybiJE4D/6VutVq/XWygUpqamSJK02Wyjo6Plclm9k5J3A+JGhZsGvkYN2WJoqAFAX6rXGJPJNDIyks/n19bWdnd3EULT09NDQ0OpVCoej7vd7sePHyOEBgcHaZrO5/PJZLK9vV2yxlAUtbS0VCwWU6nUw4cPU6kUQmh3d5cgCJZl8bVAbG5xcfHJkyelUimfzwcCAZqm8WyCgZyhsbGx/v7+TCYTi8UuXbr06NEjvpBcLpdIJLq7uycnJ3F/UoQgCHa7vaenZ3NzUxyfjY2Nnp4eu93Ob+zr61teXlaQHA6HXS7Xzs5ONpv1+/3RaFRSOP+qYTKZPB5PJpNJJpNtbW2hUEgcBGVXVSoSi1IpAUlli14S5IZLxk2cALibz+fLZrP40ydJcnR0FCeD2+32+/3qnaylxogTRkO2GBpqANAXVTWmWCzyG0mSxOs+hBDDMJ2dnZVKxWKx4K8EQmhlZUVcY4rFotlsFm8ZC3a6xeb4JJNJ7vspuUVeqVQIguA8WV1d7erq4mb+/v07bl9fX29pacF/Z0UIjJbL5XA4bLPZvF5vIpHAjYlEwuv12my2cDjMRQN3JggCS5CTTFHU1taWIAhi4YKrRiaTwe0rKysul0scBDlXxch1E4tSL0FShV4S5IaLLUomAO7G3bmur6/X1dXh1T1C6N27dxcuXFDvpLYaI5kw2rLF0FADgL6o2ivjtxSLRZPJxC35bTYbRVG5XK6hoYHrE4/HJe9jhoaGOjo6gsFgJBJ5+/at2ITkt3dra6u3t7e5uRmb4w6uJQcKPEkkErgmCWbWcABeLBZpmjabzfil2WymaVq84baystLT06MguVQqmc1mvJDk+6Nw2Uqn0xaLhWuPx+MURSkMFLiqUpGcKJUSJJ3RS4LccPFYyQRQ/vS5lyqd1FZjJGOrLVuUzRmULQCgjUOf+bMsW1dXt7m5yTAMwzA7OzsMw6gc++zZs6Wlpfb29oODg2AweOfOHTWjaJq+evVqNBplGObly5eHdbgq/4kQ99nb27t9+3Y0Gp2dncUts7Oz0Wh0cnJyb2+P31PwHKqc5NOnT+suRM5V9d0kRZ1YCX8WkrH9U7IFALSjXIIkFz4EQQhu3vFeWTqdxi8l98oEMAzjcDhQtRXily9f+CsshmGU72MU9srkVrJV98omJiYIgggGg/i4laNQKAQCAYIgJiYmuDiQJMlZl5NMURTDMPy3qt7HmHi7Hy9evJDb/ZBzVaUiSVEqJUiq0EuC3HCxRbm9MpX3MWqc1HweI4it5mxRNqd7tgBALWipMRMTE11dXbFYLJfLzc/Pz87OIoQ8Hg9N0+l0OhaLSZ75x+Pxa9euvXnzplAoZDKZ8fHx/v5+hFC5XDabzXg7WNIcRVELCwulUimRSNA0zV0d5AaOj48PDAyIz/w175X5fD6ufEqGyOfz4b+j0WhbWxv3lpzkcDjc2dmJT3HxKlJNjcHP1MVisY6ODu4Ulx+Eqq6qVMQXpV4CUnHh0yxBbrhk3MQJcKgaU9XJTCbD34wSKOVIJpOSOcbFVnO2GBpqANAXLTWGZdlAIOBwOKxWa19fH16I5fP5/v5+/Ozy3NycuMYcHByEQqHW1taGhgaKonw+Xz6fx2+FQiGr1Sr3VGg0GnW5XBaLxW63B4NB/vdWcqDCs8t8XUb8IHFqamp6epp7KSe5UqncvXuXJEmLxULTNPfssmA2/lWDIIi5uTnB06iCIOgu51ASULULXy0S5IZLxk3u2WX+bHI1Ro2TLMtaLBbBIbnYk+fPn7e3tyvEVnO2SJo7CdkCAGIM+Z3/7u4ud8z4T9Ha2vr+/Xvdp1XYcvxTqFHC0URAvRW/388/qxfDsqzT6cS/15EDsgX4FzAbccbDMExLS4sRM59wPn78eNwuAEdBJBJRftSlsbFxeXn5ypUrCn0gW4B/Ad1qzP3795ubmwcGBlKp1PT09MzMjF4zA8BJo76+/vLly8p9lAsMAPwj6Pbvlbnd7oWFBYfD4fP5/H7/jRs39JoZAAAA+EM5hRA6bh8AAACAvxP4P8oAAAAAo4AaAwAAABgF1BgAAADAKKDGAAAAAEYBNQYAAAAwCqgxAAAAgFFAjQEAAACMAmoMAAAAYBRQYwAAAACjgBoDAAAAGMX/6R1qK3xCunEAAAAASUVORK5CYII=) --- **Screenshot:** ![rescuemycar.com vulnerability](/twimages/screen-1195937.jpg) **Mirror:** [Click here to view the mirror](<http://1195937.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 13 June, 2020 12:23 GMT ---|--- Vulnerability Verified:| 13 June, 2020 12:30 GMT Website Operator Notified:| 13 June, 2020 12:30 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 13 June, 2020 12:30 GMT