mail1.ipertrade.eu Cross Site Scripting vulnerability OBB-1205284

2020-06-2408:21:00

masofily

www.openbugbounty.org

JSON

Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:

&nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence;
&nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence.

Affected Website:	mail1.ipertrade.eu
Open Bug Bounty Program:	Create your bounty program now. It’s open and free.
Vulnerable Application:	Other
Vulnerability Type:	XSS (Cross Site Scripting) / CWE-79
CVSSv3 Score:	6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N]
Disclosure Standard:	Coordinated Disclosure based on ISO 29147 guidelines
Discovered and Reported by:	masofily
Remediation Guide:	OWASP XSS Prevention Cheat Sheet
Export Vulnerability Data:	Bugzilla Vulnerability Data
JIRA Vulnerability Data [ Configuration ]
Mantis Vulnerability Data
Splunk Vulnerability Data
XML Vulnerability Data [ XSD ]

Vulnerable URL:

![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAARC0lEQVR4nO3de0xT1x8A8CtWLKUtWOj1AZOHBowxrnOO4GSbEaKGEVI3RGXdRCX4CGGG4AbMOYYbKsKSsYUYNxc1ZFuWzRFiDC6EGIZMEbvadQwbxqDWghN5aK1FK/f3x8lO7u+++qag389fPben937P99zbwz1tDzMoiiIAAAAAPwgKdAAAAACeWjDGAAAA8BcYYwAAAPgLjDEAAAD8BcYYAAAA/gJjDAAAAH+ZEmNMXFzc9evX+YpgEkzHnE/HmCcNJMct169f37NnT6CjeDoFfoz5448/JiYmnn/+ec4imATTMefTMeZJA8lxV25ubmxsbKCjeDo5GWP6+/tlMhnnU2NjY4cPH+Yruq6xsTEzM5Ov6BkcNjv+8fHxrVu38jVKoL0e8DgndP39/XPmzPFJPHy8zLlvk8beJ+f+ccwjIyPbt29XKpVRUVHvv//+48ePPT6Q9+gnnr97TYDHHeqrbAS2+a6gX5t3797V6/X79u0j/j8DFy5cCAsLu3v3Ln7V6tWrP/jgA4Ig7t+//+6778bExISEhCQmJh49evTJkyeT3ojpwfP7mNHR0crKSr6i6/wxxsTExAwNDbG3j4+Pb9iwweFwuPtCz3ick0nmk5z7ltOOwDHn5uY+evRIp9O1tLS0t7cfPHhwsmKcuqZgh0419GvTarVKJJLZs2cz6qxfvz4lJaWiogIVf/75576+vrKyMoIgduzYYTKZfvnlF5PJVFdX19TUpNVqJzP+6YQS1NfXJ5VKXXlKoKYAi8USHh7+6NEjzqL32EF+8sknnoXq/dE93kl4eLhP4uHkfc79nU/2/nHMNpstOjraarWi7R0dHYsXL/Zy594wm80rVqxAD5KSkny1W7d406G+yoa/T1rv0VtKf4x7EOnu7pZIJL29vQ6HIyEh4dSpUxRF2Ww2kUg0Ojo6+WFPRy7dx3z++edxcXERERFvv/322NgYQRBjY2OxsbFWq3XGjBmnT5+mFz/77DOZTHbs2LG5c+fOmTNn27ZtDx8+5NtzY2PjunXrZs2axSiiO9aampq4uLjQ0NDNmzffvXt3//79SqUyIiJi+/btDx48QC+5evXqqlWrQkJClErlpk2bbt26RfDf8sfExKBbXT6MSTbOVoyPj+/cuVMmk8XExHz00UfoHhnVP3z4sFKpnD9//smTJxkpYlfgC54giFu3bq1fv14mkyUmJn777bc4PM5D0wnERm8jfR4D53zjxo3Hjh1DG69fvz579mzU1wRB7Nq1a//+/cIBHD16lJErbzpReNIGxxwSEnLz5s3Q0FC0vaenZ8GCBQRBPHnypLS0dO7cuaGhoZs2bcLTHQ8ePNi1a5dSqXzuuec+/vhjdgI5K3D2HaeoqKhr166hB1euXEEbL1y4wFefUeHq1auvvPKKTCaLiop68803//rrL4IgNm/e/Omnn+LKq1atOn369MDAwOuvvy6TyeLi4mpqajg7lK9F9H6ZM2fOW2+9hTvalWy4e9Ky8V1cnHkW6BGnpxbfgRjXJmcPIomJifn5+SUlJSdOnJDL5du2bSMIYmJigiAIkUgk3K0AcT7GWK1WnU7X3t7e0dFhsVhKSkoIgggLC+vu7pZKpXa7XaPR0IsbN260Wq0dHR2dnZ2dnZ1arbaqqopv5wITZei4bW1tOp3OYrEsWbJkaGhIr9dfvnwZ37ESBKHVavPz8wcHBw0GQ3R0dEFBgVf5+P+Gc7aioqLCZrPp9fqmpqbW1tbjx4/j+t3d3QaD4dSpUykpKYwUsSsIBF9QUCCXy7u6us6fP0+/XPkO7XoFNpzzjIyM5uZmtPHcuXMTExNNTU2o2NzcnJ6eLtz2zv/Qc+WnTuScC7px40ZxcXF1dTVBEFVVVc3Nzc3NzUajccGCBV1dXahOYWGhxWLRarVNTU2NjY11dXWMnfBVYPedkoUv2tzc3NTUVPo7F3b16tXU1NTc3FxUzMjIyM3NNZlMbW1tKSkpYrGYIIjs7OyGhgZUYWBgQKfTqdXqgoKC4ODgnp6e5ubmM2fOCCSHs0VWq1Wv16OL2mQy4Y5wJRvunrScieK7uNh5FugRV04tzgOxr00BBw8ebGlpKSsrq62tRVtCQ0PT09O3bNly6dIl/HcS4CV8m9PX10cQxL1791Cxvb09Pj4eP8U5V4ZeYjKZ0PazZ8+uXLkSPTaZTLGxsfglVqtVKpUODw+zi2gn+G60ra0tKCjIZrPhMDinRHp6eubNm8cIhn3v78oEoEArIiMj8eSMTqdDUyKoPm4L+0CcFTiDdzgcYrGYfmg87cB5aDq+2Bg9hXdIz7nFYpFIJHa7naKopKSkoqKinJwcVF8ul6O5F4G2s3PlTSfyTWVQrNMGMZvN8fHx33//PSqSJKnVahl7djgcUqm0t7cXFRsbG5OTk+k756xA8fSdmYXdFhxwZWWlQqHIzs42Go1oo9FozM7OVigUlZWVKKXDw8MikQjln85ms8nlcpTeurq6zMxMdIbgOOlnCCM5fE2mX9RtbW2cFzVfNuhcOWnZiRI+Yeh5Fu4Rp6eWwFUscIKxbdmyZeHChfQt9+7dKykpSUhIEIlEixcvLi8vdzgcAnt4lrn3eQz97UlgjBGLxXh7V1cXSZLoscPhsFgs+KmzZ8+uXbuWsyhwXEZRq9WmpaUtWLAgMjJSoVCg7T4ZYzhbMTw8TBBE5H8UCgXa7vRAnBU4g7dYLIxDo+18h8ZcjI2ePUYXqFSqlpaWwcHB6Ojo0dFRkiQdDsfXX3/9xhtvCO+fM1fedKJA6hgxI8nJybW1tejx6OioSCRiX/MWiyU4OBgXjUYjYzDjrMAOwDPDw8NqtVokEqGiSCRSq9WMOf0tW7aoVKqioqLq6uqLFy/St6PWpaWl1dfXM+LEZwjFSo7TJlP8FzVfNtw6aTm5eMIIxODiqSXwXuT6GKPX68PDw5ctW3b8+HH2s3a7vb29PTk5+cCBA3x7eMZN6pTizJkz58+fj4s++UaZWq3Oy8s7fvy4WCw2m80bNmzwTaw87HZ7UFBQZ2cnno0NCvL8u3luBe/00B7Exsh5enp6c3Nzb29vRkZGWFiYSqVqbW3FE2W+bTudW3lgnycDAwN6vf63336jb5w5c6ZPYuPDnhy7c+cOX+W///774MGDra2t+EtKFRUV1dXVe/furaioWLRoEdr43XffXbt2zWAwWCyWoqKil19++YsvviAIIjs7+8svv9RoNB0dHWfPnrVarXwHmoRvlLl7xbET1dnZ6bfofK+wsLCoqOjVV1/NysrKzs5mfCd79uzZq1atqq2t1Wg0hw4dClSQU5lffoNpt9tv3ryJHhuNxoULF7LrPHny5Ny5c/h6YBRddOfOHYvF8uGHHy5atCgqKgrNX/sKZyvmz58vkUiGh4ej/kMfNd3CFzxJkgRB0A+NHjg9NF8FhUJhs9nu37+PqpnNZvSAnXP0kQx+n1Kr1Q0NDRcvXkRjjEAArvS4u3ngxHmekCRpMBhwMSwsTKFQsH/lTpJkcHDwP//8g4rd3d2Mn905rUCnY+GruWfPHpVKNW/ePKPRWFpaijaWlpYajUaSJFUqFf0X5i+++OK2bdtKS0u/+eYb/DFMenq6Tqc7c+ZMWlqaTCYjSTIoKKi/vx/HyZcct1rEwPlad09avkS5eMJ4Ez/izZlJEMRPP/3U29tbXFz82muvpaSk4G/GMz6GsdvtAr+IeNYJ3+YIT+WLRCI8v4yLaA40KyvLbDYbDAaVSlVeXo73gKebW1tbly1bhrcziq5Ps5AkWVdXNzo6ajQa1Wo1Y67s3r17IpGou7ubPnPCvjXGUTE+j+Fsxe7du5OTk9Efm1VVVRUVFZz7ZKSIswJn8BRFqdVq+qHxds5D02fwOStQFJWUlJSXlzc4OGg0GlNSUtAOGTnHIZEkifZpNpvlcrlKpRLeP1+uvOlE+mvpncgZMyMJFEVVVlYmJSXp9Xqz2VxQUNDa2oq25+XlZWZmmkwmg8GwYsWK2tpaxhnCrsDXd67TaDR9fX18z/b19Wk0Goqiurq6NmzY0NLSMjQ0ZDKZ8vLyMjIycLWcnBy5XP7DDz+gYlZWllqt7uvrMxgMy5cvF+hQdosE+sWVbLh70nI22ZUThi9+dk2BuTK+q5h+bZpMJvqUGmaz2WJjY+vr61HRaDRKJBK9Xt/d3U2S5IkTJywWy+joKEp7ZWUlX3ufcZ6PMRRFlZeXSyQS9J1xXKypqZFKpUeOHCFJMjw8/J133sGfxdH3VlxcXFZWhnfFKLr+9tTa2rpy5UqxWDxv3ryioiLGGENRVElJCT1Izp2zZ2bRA85W2O32ffv2RUdHSySS9PR09IEk39sQThFnBc7gKYoym83r1q2TSqUJCQnV1dV4O/vQjN1yxkZRVE9Pz9q1a6VS6dKlS2tra9EOGTlHcnJysrKycHHlypX0OgJtr6qqYuTKm05kvBZ3ImfM7F9jOByO9957LzIyUiwWq9XqoaEhtN1qtebn50dGRkZHR+PPaelnCGcFf/8ACHn06FF5eXlCQkJwcDBJkhqNZnBwED/b0NAglUrxSTg4OJiRkSGVSmNjY48cOSLQoewWCfeL02y4e9Ky8V1cfH+oOe0RgTGG7yqmaNem3W4Xi8X4z2WsoqKC8bWaffv2rVmzhqKo8+fPr1mzRi6XSySS5cuXnzhxgq+xwMkY4wEXL8iEhITLly/zFQNuct5WAmuq5dwV0zFmf0N/VlPTJzmTdnG5fqDCwkL2F0mATwTsZ0Q3btwQKIJJMB1zPh1j9jedThcfH09AcrxQXV0t8Ika8Ebg1132zOPHj7du3Xr79u1ABwJAABw6dOjkyZN37ty5cuVKWVnZ7t27Ax3R9DZr1qyXXnop0FE8nabrGDNr1qzg4ODi4uJABwJAAKxZs6auri46Olqj0RQWFqI1TgCYgmZQFCVc4/79+wcOHGhoaPj3338XLly4Y8eO4uJigR8f9Pf3L1u2DH9TFm1RqVQjIyPeh0vf+e+//56enj4wMOD9bgEAAPiD8/uYKbuKtUKhEPgxGgAAgIBz8pn/w4cPGxoahoaGwsLCCIJITU1NTU2dlMC4iUSihISEAAYAAADAdU7uY3y+irWLC+Pz1WSsvE3ndAV1AAAAk8zJGOPzVaxdXBhfoCYfgRXUAQAABIbTX9C4u4o1Wr8hkgYvzkq5szC+03Xs2Uu+s1dQBwAAEEDOv1eGjY+Pa7XaoqKitLQ0gRVG+/v7ly5dSl8UDy3OOjIyMjIyolAoIiMj0faJiQmRSHT79m32V9H4ajIOxHgVeuGOHTvOnTv3+PFjF9sFAADAT9z4oMX1VayDgoKioqJwEa9I6vri8J4tI89eQR0AAEAAOR9jHjx4gP9fOuHdKtZ4cfgXXnjBVzWxPXv21NfX5+fnG43GiIgIzyIEAADgQ05uDm7cuBEfH//VV18NDAyMjY39+uuve/fuzcvL8/h4Go1m7969f/7558DAwLFjxwTuh5zWdDgc9C+8Wa1Wg8FQU1MDAwwAAEwVTj+xcXcVa/Zap/SVt11fGJ9vmXrsxx9/XL58udP4AQAABIobn/lPKePj40uWLDlw4MDOnTsDHQsAAABu03WMIQji0qVLq1evDnQUAAAAeHk4xiiVSs7tvb29MpnMu5AAAAA8JTwcY27dusW5nf6VZQAAAM+4aTxXBgAAYIqbrv+jDAAAwNQHYwwAAAB/gTEGAACAv8AYAwAAwF9gjAEAAOAvMMYAAADwFxhjAAAA+AuMMQAAAPwFxhgAAAD+AmMMAAAAf4ExBgAAgL/AGAMAAMBfYIwBAADgLzDGAAAA8BcYYwAAAPjL/wAd76p0IbbZawAAAABJRU5ErkJggg==)

HTTP POST data:

![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAALiElEQVR4nO3cf0wTZx8A8Md6lFraApWe5ccQnAH/IIw45yAyRwZRwwjpMkU2ieCPsGkQG8IWYMyxLquO4f4gCzHELY6YLTHTEbIQXJhZGkYUsTlrg/WCXemwYIRa8MTqwHv/eN5c7u1df8hLV9m+n796z/O9u+/z9OiXPtd2BcuyCAAAAAgDSaQTAAAA8I8FNQYAAEC4QI0BAAAQLlBjAAAAhAvUGAAAAOECNQYAAEC4QI0JLj09/fr165HOYnm4fv36oUOHIp1FeP3111/vvPPO3bt3I50IAMsA1Jggbty48fTp05deeinSiSwPVVVVaWlpkc4ivKKioqRSaX19faQTAWAZWMoaMzY2plQql/ZQY2Nj8fHxS3LMxenp6SktLX3WvZZqKiI+/FDMzMwcP34cITQ9PW2xWPR6PW7nJuHixYuxsbHT09PcLlu2bPnoo48QQg8ePDh69OjatWtXrVqVmZn5xRdfLCws4JgAXaKEc76Es+dzcL1e39/fvyRHBuCfDd7HBLG4GvOv4vF4jEYjQohhGLlcHh0d7ROwffv2/Px8g8GAN3/66SeHw9HU1IQQ2r9/v9Pp/OWXX5xOZ0dHR19fn9lsxmEBuiJOrVYzDBPpLABYBohIJyCOIIiMjAz+g4iYmJigabqgoCBSCSxr/Ofuq6++2rhxo16vT01NbWhoMBqNMTExjx496u7unpqaio2NRQgVFhYWFhbi+ABdERHZ6xCA5Sv4+5iFhYXGxsY1a9bExMTs2rULr3g8fPjwvffe02g0L7zwwqeffiq6iCGMwQsOx48f12g0iYmJ33zzjb+TJicnX7t2DT+4cuUKbrx48WLgVPkBV69efe2115RKZXJy8ttvv33z5s3du3d//vnnXEBeXt53332HEJqYmHjzzTeVSmV6evrJkyf5qys9PT3btm2LioryN2Q8opMnT6anp8fHx+/Zs2dmZiaUqeCSzMvLW7VqlUaj2bVr1507dxBCd+7c2b59u1KpzMzM/P777wMPGSfw5ZdfrlmzJj4+vrKy8tGjR1y7z1T7e0Zw/jExMbt3756env7ggw80Gs3q1av37dv38OHDwCeamZlJS0tjGGbFihXnz58XfRIRQpmZmdXV1Q0NDZ2dnSqVqrKyEiH09OlThBBBiPyjE6Br0R4/fnzgwAGlUrl27dpPPvnE3wUpDPMZi4+glyUA/2bBa0xra2t/f39/fz9N00lJSSMjIwih2tpal8tlNpv7+vp6eno6OjqEO4rGMAxjs9msVuuZM2fy8/MRQhoBf5lUVVUVFhaK/qlfvXq1sLCwqqqKaykpKamqqnI6nQMDA/n5+TKZrKysrLu7G/dOTExQFKXT6RBCNTU1Uql0dHS0v7+/q6uLf1j+Qpm/ITMMY7FYBgcHh4aGnE4nXgIKZSoQQmazubq6enJy0mq1pqSk1NTU4HxUKtXIyEhvby+/xvibKIZhhoaGhoeHh4eHzWZza2sr1+4z1f6eEYqiBgYGKIpyuVwbNmyYmpqyWCyXL1/mVrQCnCg2NtZmsykUCq/X+9Zbb/l77hBCx44du3TpUlNTU3t7O26JiYkpLi4uLy///fffuWIWtGvRDAbD3NycxWLp6+szmUynTp0SnSXRsAACXJYAAMQGQ5Kk2Wzmt8zPzysUCrvdjjd7enpyc3NZlnU4HAqFIkCMw+FACLndbv7RxgX8ZcIwjNFoVKvVZWVlNE3jRpqmy8rK1Gq10WhkGAY3ut1ugiC8Xi9/97m5OZVK5XQ6WZbt6OgoLS3FecpkMi7PCxcuxMXFcadTKBQ42wBDRgjNzs7i9oGBgXXr1oUyFcLRjY6OarVanA9O0icf0YnCCfDjN23axLXzpzrAM+LxeLj8JRLJ3Nwc3hwcHFy/fj1+7O9E/MHyRy2qvLw8NTWV3zI7O9vQ0JCRkUEQxPr161taWubn54N2icIZJvCo1Wpu9liWTUhI4K4QiqI2b94sekEKw0TPxY1U9LIEAGBBaozH4yEIwudv2+VySaVSbpOmaa1Wy/7vH55oTNDXoFC43W6dTkcQBN4kCEKn03Gvkpzy8vKcnJy6urq2trbffvuNa2xvb2dZtqio6OzZs8I8R0ZGuFelCxcuvPHGG6EPGW/i3YNOBX5sNpuLioqSkpK4F0SXyyWTyUTzEeVwOHziSZIUJuYvDX/5Czf9nYgNucZYLJa4uLisrKxTp04Je71e7+DgYG5ubnNzc+hdfA6HQy6X82vw5cuXufzdbje/AqnVapIkhQmLhomeS7gj/7IEAGAhfa5s5cqVS/vmiS/0tTKE0O3bt2tqakwmE/chJYPBYDKZDh8+fPv2bX7kDz/8cPr06ezs7CdPntTV1R05cgQhhJfL7t+/PzQ0FPTTYn/DJ8p0Ot3WrVtNJhNFUb29vYGDn2minkO1tbV1dXVff/11c3Pz/fv3fXqjo6Pz8vLa29vPnTsXepcPiUSSzKPVarkur9crkUiGh4cpiqIoymKxUBQlPEKIYT6ElyUAAAtSY2JjY9Vqtc+33EmSlEqlf/zxB9602WzCr92FEoNRAv6SOXToUE5OjlarpWm6sbERNzY2NtI0TZJkTk6OzzfMX3755crKysbGxm+//RbfiSkuLqYoqqurq6ioCH/dgSRJiUQyNjbG5YkfLCws/Pzzz1yNCX04Qv72vXfvnsvl+vjjj1988cXk5GSZTIaDEUJ//vknDqZpOuhEeb1efnxqauozpRG6EE8k6vz583a7vb6+/vXXX8/Pzz927Bhu97nX4vV65+fng3YtQmJiolwud7vdXAVKTExcdBif6GUJAPivoO90jEbj5s2bLRbL+Pg4/meNZdmDBw+WlpY6nU6r1bpx40a8ADU7O0sQhM1mw2trwpj/c62soqLC4XD463U4HBUVFfjxyMjIjh07Ll26NDU15XQ6Dx48WFJSgrveffddlUp17tw5bsedO3fqdDqHw2G1WrOzs/HqislkysrK4h9fdMj+1pqCTgWOJ0myo6PD4/HQNK3T6fC+Op1u586d4+PjVqs1Jycn6FoZQogf39LSIkzM3xCeaa1M9EQsyzIMQxAETdNOp5O/nsaZm5tLS0vDi5Msy9I0LZfLLRaLzWYjSbKzs9Plcnk8HjznRqORZdkAXQGmwmfIPsN5//33c3NzrVary+VqbW01GAyisyQME55rdHSUO3LgyxKAf7ngNWZ+fv7DDz9MSEiQyWQ6nW5qaoplWYZhqqurExISUlJS+DdjGxoa5HL5mTNnRGOW5H5MKJ48edLS0pKRkSGVSkmSrKiomJycxF3d3d0KhYK7rc2y7OTkZElJiUKhSEtLO3HiBH7tqK+vb2pq4h9TdMgBXqMDTwWOMZlMmzZtkslkWq22rq4O7zs+Pr5t2zaFQpGRkdHW1ha0xigUihMnTpAkGRcXt3fvXjw00akO+owErjGiJ8JaWlrkcvnp06dlMpnwvrfBYPC5c67X6wsKCliW7e3tLSgoUKlUcrk8Ozu7s7OTiwnQFWAqfFr4w/F6vXq9PiUlRS6XFxcX2+120VkShgnP9eOPP2ZnZwfOBwDAsuwKlmUj+0bquXLr1q2tW7fevXs3MzOzq6vr1VdfjXRGQYyNjWVlZT148OA5OdHRo0etVuuvv/4a7nwi6PHjxxs2bGhubj5w4ECkcwHgefecfs8/UiiKWrduHULo1q1bkc5lWWprawvlJvmyFh0dffbs2S1btkQ6EQCWAagx6LPPPktKSiotLbXb7U1NTdztaLAIUVFRr7zySviO7+/TdHa7fal+jzUUUGAACBHUGFRQUKDX6w8fPpyamlpbW4t/5gQ8n/y9Sfo7CwwAIHRwPwYAAEC4wG/7AwAACBeoMQAAAMIFagwAAIBwgRoDAAAgXKDGAAAACBeoMQAAAMIFagwAAIBwgRoDAAAgXKDGAAAACBeoMQAAAMLlP3AKDNgLECwZAAAAAElFTkSuQmCC)

Mirror: Click here to view the mirror

Coordinated Disclosure Timeline

Vulnerability Reported:	24 June, 2020 08:21 GMT
Vulnerability Verified:	24 June, 2020 08:30 GMT
Website Operator Notified:	24 June, 2020 08:30 GMT
a. Using the ISO 29147 guidelines
—	—
b. Using publicly available security contacts
c. Using Open Bug Bounty notification framework
d. Using security contacts provided by the researcher
Public Report Published
[without any technical details]:	24 June, 2020 08:30 GMT
Vulnerability Fixed:	31 July, 2020 17:43 GMT
—	—

JSON