Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:
      a. verified the vulnerability and confirmed its existence;
      b. notified the website operator about its existence.
Affected Website: |
canna.ch |
Open Bug Bounty Program: |
Create your bounty program now. It’s open and free. |
Vulnerable Application: |
Custom Code |
Vulnerability Type: |
XSS (Cross Site Scripting) / CWE-79 |
CVSSv3 Score: |
6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] |
Disclosure Standard: |
Coordinated Disclosure based on ISO 29147 guidelines |
Discovered and Reported by: |
mosaabbelk |
Remediation Guide: |
OWASP XSS Prevention Cheat Sheet |
Export Vulnerability Data: |
Bugzilla Vulnerability Data |
JIRA Vulnerability Data [ Configuration ] |
|
Mantis Vulnerability Data |
|
Splunk Vulnerability Data |
|
XML Vulnerability Data [ XSD ] |
|
Vulnerable URL:
![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAABLCAIAAAAphcDFAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAc1UlEQVR4nO2df0wcx/XAN/jAx3H8Oh/Hr4v5UYciFxHiUEpcnFLHcgk5oQshFFFqE2IRF1HiIOISmlLqWNglOHKxRZHlSsSyUquyKEKWRa2L6yJEKcHkTE70TCk5yOVM8Zkczpme8Zn9/jHNfNe7M7N7dxw/zHz+Yvdm57157+0+dnb3zRMsyzIUCoVCofiBgNVWgEKhUCiPLTTHUCgUCsVf0BxDoVAoFH9BcwyFQqFQ/AXNMRQKhULxFzTHUCgUCsVfrN0ck5SUdOPGDdwmhcCK2cp3QSvpVhpCPKhBKCvAGs0xn3322dLS0tNPP43cpBBYMVv5Lmgl3UpDiAc1CGVlEMkxU1NToaGhyJ/m5+ePHTuG2/SRnp6egoIC3OaGheAOCMFWvMN9dBnZKVxZOLU9cquUsRPgyjp16lRSUlJISMj3vve9jz/+2Os+yXgkhTC6qampyMhIwrEvvvjib3/7W+6ev/zlL/Hx8VNTU088yosvvgjbAIN4YVVRfbzGC2W++uqr1157LSoqKj4+/he/+MWDBw98jBMveOutt4KDgz/88MOVFLqeYIlYLBalUinlJ0JLL8jKyrpy5Qpuc8MixchkW7lcLo9681oQt3OcIE/dylXeU6Cstra25OTkq1ev2u32ixcvqtXq/v5+r7vF4YUU3OgsFktERAThwDNnzmRnZ3P3HDx4sKqqCpjdxWFxcRG2gQbx1Kqi+niNFwFZUFBQWlpqtVrNZnNOTk59ff3yXohEsdvtAQEBRqPR7XavmND1xVrMMTabLSIiAp4PvM2NjKiRPbKVLy4TFSSaY1bSrVxZcXFxV69ehT91dHTodLpll7iMUkSv6TMzMzKZbGZmhivdYDAQ/OuL8ddOjllYWNBqtU6nE2wODQ1t27ZthXPMCotbj0h6HvO73/0uKSlpy5YtP/3pT+fn5xmGmZ+fT0xMdDqdTzzxxIcffsjd/OCDD0JDQ99///3o6OjIyMj9+/f/97//Bf188sknu3btCg0NjY+Pf+WVV/75z38ixfX09OzduzcwMJC3+fLLL7///vtg540bNzZv3gyUYRjmjTfeePvtt8kNnnrqKfLhPDUePnz4zjvvREdHh4SEvPrqq3fu3AFDeO6554KDg6Oiol599dUvv/yS+eYe/8SJE0lJSZGRkT/5yU9Az7j9uH6kKIB0B9J0QmtzpxF4Hrx///7rr78eGhqakJDw61//+uHDh2SX8XwkZTg4L3OtFBIS8uMf//jOnTtvv/12VFTUli1bXnvttXv37jGPTqTgtMJZDMqan5+32Ww5OTlQjYqKitOnT8P+jx07FhUVFRsb+4c//AE0uHfv3htvvBEVFfXkk0/+5je/efjwoWgcikqB++G8E2//l19++aMf/Sg0NPTb3/72Rx99BPcj3RQdHZ2dnd3d3Q3a/OMf/3C5XLm5uQzDLC0tvfnmm9HR0dHR0W+99RZ0K8/4UBlcuHqkz+effx4SEvLpp58yDHPnzp3IyMi//vWvXNcDQchLBIMKb1z74ODgL774IiQkBBw4MTERFxfHCzOPTliGYW7duvXSSy+FhoYmJSWdOHGCPCt4584d3nVPGD8U8RzjdDqNRuPAwMDQ0JDNZquvr2cYJjw83Gw2gzvxsrIy7ubLL7/sdDqHhoaGh4eHh4dHRkZaWlpAVzqdrry8fHp6ur+/PycnRy6XIyXiHsbodDqDwQB2Xrp0aWlpqbe3F2waDIb8/HxyA71eTz6cp0ZLS4vBYDAYDOPj43FxcWNjYwzDjIyMVFZWzszMmEwmrVZbXV0NrTQ6OgqsND093dDQQN6P60dUAaQ7kKYjW5vnwSNHjiwsLIyOjvb29vb19XV0dJA74flIynB4cHsAg+rv7zcajTabLTU11W63j46ODg4OWiwWaDQITiukxbiynE6nXC6HqZFhmMDAwISEBKiG2Ww2mUydnZ0wQ9TU1NhstpGRkd7e3p6envb2dtE4JEuRQnV1dVhY2NjY2OXLl7nXdJybCgsLYY7p7u7W6XSbNm1iGGZhYUGpVJpMpoGBAYPBcPLkSaHxueDC1SN9kpKSGhoaDh06xDBMY2Njfn7+D3/4Q6Eg5CUCF9649pCbN2/W1dW1trby9nt6wlZXVwcFBU1MTBgMhnPnzsF+ogQwDLNlyxbedU8YPxTxuTKGYe7evQs2BwYGkpOT4U/IuTJwyPT0NNjf1dWVmZnJsuzc3JxMJkNO/k5PTycmJoK/nU6nUqmcm5sTbtpsNoVCAXrIysqqra0tLS0FEsPCwhYXF8kNpqenyYfztNJoNCMjIwTjTExMxMTECK3U398PrITbj+tHVAGCO3i2QlqbML2pVqvhnIPRaMzKysJ1wgp8hBwOea6M2wMYlMPhAD/19/cHBAQsLCzAMW7bto3bCSGQkC7jyYKa1NXVqdVqtVrNdRZvUG63W6lUTk5Ogs2enp7s7GzROCRL4bkAzDtx97vdbrlczj2D4NwU0k3gcLlcDgIjNTW1u7ubZVmXyzU4OAhldXd3g/Y4g+DC1Qt9FhcXU1NTm5qa1Go1dxKPK0h4icCFN649xGq1JicnX7hwQWhhLqInLBgpdDd3pFYBcCzc6x7upNjIePY8hjsVS8gxcrkc7h8bG9NoNODvkpKSjIyM2tra1tbWa9euwTZut9tms4G/u7q6du/eDX/ibWZkZFy9enVmZkar1TocDo1G43a7z549W1hYKKWB6OEQh8Mhk8mEz/FGRkb27NkTFxenVqtVKpXwAsFiLhw86yH7EVWA0KHQVkJr41w2NzfHMIz6G1QqFdllPEHI4ZBzDLcH8qCQxkRqhXMZV5bVaoXB6XA4rFbr4OAg0lkAm80WFBQEN8fHx8FFihxI0qUgR2ez2XhnEGhDcBNQ6cKFC+DfapihuZjNZqA8zvg43bzTB9zqtbW1CTXBXSIIxsFdUgDZ2dlQEK8Tj05YnrvhSAlwr3v0wQwS2UrcK33DH//4x+vXr5tMJpvNVltbu3PnzlOnTjEMs2nTptjYWNCG/NZyfn6+wWCYnJzU6XTh4eEZGRl9fX3cmS5yA9HDeYAJBy56vf7AgQMdHR1yudxqtebl5XlnCon9CBUgwLOV0Np1dXXIA10uV0BAwPDwsEz2v3gICAjAdXLq1CnhTIunZvHxZXRcIDEoi3FlgWmNBw8eBAYGhoeHh4eHz87OKhQKTxUgB9JySeFBcBPzzXSZxWLJy8sLDg5G9rC0tMQs35cAZH1mZmYCAgJmZmZ8F0Tm1q1bo6Ojf//735G/LtcJCybHuNy+fdu7rjYc5BTk3X0Mw7mx7e7u5t3YAoxGo1ar5e10u91qtRreq/I2WZYdGBjIysoqKCi4fPkyy7Lt7e01NTUxMTHwNojcQPRwLhqNxmg0cvfMzs7KZDLuELy7j8H1I6oAwR1CW3EB1ibMlSmVSvLEIOxEKAg5HMI/yLwevLiPEWoF/hZaTKhtXFwc9x66tbU1Ly8P1z9yroyVEEg4KXfv3g0ICODO0ojOlXV3d0ODENxkMpnCwsJ27Nhx/vx5sMdgMGRkZMAGXV1dWVlZBOPjHOGFPg6HIyYm5sKFCyqVamxsjPcr7hJBOI8IlxS32831L7cTT09YMFKLxQIt5tFcGb2PQeJ9jnE6nTKZbHx8nLcJAqKoqMhqtZpMpoyMjKamJpZlx8bG8vLywBcD09PTBw4c4L7NCWa3+/r60tLS4E7eJkCj0Wg0GtDearWGhYVxTyTRBuRfubP8zc3NWVlZo6OjVqu1urq6r68PHN7e3u5wOMbHx/V6vddzZch+RBUgdMizFdLavMO5Hjx48GB2dja4M2hpaTly5AiuE5xTeMO5e/euTCYzm81ut5v7t1BVT3MMIZCEFhNqC79cmZ2dPX/+vEqlGhgYEKoBOXDgQEFBwfT0tMlk2rFjB5yTIQcSTgrLsllZWQcOHJiZmRkfH8/JyUGGil6v555B0CBIN0FSUlKCgoLgky2Hw6FWqxsbG+12+8jISFpaWltbG8H4BEd4qk9VVVVxcTHLskePHs3NzQU7YWzjLhHkHCNsD+GeNbxg8+iEZVm2qKhIr9dbLBaTyZSenk7nynzH+xzDsmxTU5NCoejs7ORunjhxQqlUHj9+XKPRRERE7Nu3D8wOLy4uNjU1gdNAo9GUlZXBh4FQSl1dXUNDA+yftwkoLS0tKiqCm5mZmbw25AaEX4X/bh8+fFitVsvlcr1eb7fbWZbt6+vLzMyUy+UxMTG1tbVe5xgp/QgVIHTIsxXS2sLTAHrQ5XIdOnRIq9UqFIr8/HzwjyGyE6RTkMOpr6+H4cH9m9eDpzmGEEhCiyG1bWtrS0xMDAoK2rFjB/yKBXeNcDqdlZWVarVaq9U2NTXB5z2icYiUwrLsxMTE7t27lUrl9u3b29rakK63Wq179+5VKpUpKSmtra3cf0GEboIcPnwY3C1BhoeHc3JylEplcnJyS0sL2fgER3ikz/DwsFKpBLcdLpcrMTHx3LlzQkHCSwT5PBK2F+oJ4AabRycsy7IzMzM6nU6pVCYmJh4/fpzmGN8RyTFe4IutU1JSuG/C8DYpBFbMVr4LWkm30hDisRYM4uklYrUu32azmfdyAcULVvSZvyg3b94kbFIIrJitfBe0km6lIcSDGkQ6RqMxOTl5tbVY96ytHEOhUCiryHvvvRcXF1dQUDA5OdnQ0NDY2LjaGq171mhtfwqFQll5cnNz29vbtVptWVlZTU3N/v37V1ujdY+kHPO3v/3tmWeeCQkJee655z777DPuT8L68AkJCV9//bWUblegCjevQpdoKXtcRfrlXbmAIZrUa5ZdSY9Y3oUDCKzuMJnl9p2Pw1kta/hS4T8iIgLWbiFfBMCv4JKyMiPdtWvX9evX79+/Pzw8vLCw4G9xGwIpD21iYmK6u7vn5uaampp4H7v48jhuZR7lcd+YFBXHa+PRsR5BMKnXrPqbLcu4cACBVR/m8vrOx+GsljWEb3N5dCzyLEPiv3OQzKqH2WODpPsYt9udmZkZGRmZmZm5uLjo77S3vGzevHlVjiWzrk2Kw3/mWlM8lr5bRchhs0GC6nFGSiJqbGxMT0+vqqpKT083mUxwv8PhgP2At9GHhoays7PlcrlarQbfTLHf/EfQ2tqamJgYERFRWloKPhPj/qdgMplUKhX4zhGHaNEBggihqqIiCMe6XK6KigqlUrl169bGxkbwzQRo39zcrFarY2Jizp49CwwCPlCIi4srLCyE3zzjTMqyrF6vB58ysCxrNBq5X9VVVlbW1dUh7eyLkh5ZW4o3pVh7jQwT1wPLsm63u76+XqPRKBSKoqIi8IEU2Xcs5nsanDF5wwHNWlpaJH44IjGqcWMhqCr0L/voVzLNzc2i35oghSKHzLJscXHx0aNHYT/Z2dncX3lHnT59eu/evbBxQ0PDvn37kANf+2H22CPpPgaU0+js7Ozt7f3Od74D9/PqwzOeV9IGzM/PFxYWHj9+fNeuXVL0QUIWIVQVWawbifBYXIl1YXFvXBV6nEkZCUsYMCg7+6Lk8ppaorXXzjBxPeBWCiD4jkGtBUAQLRyOaBF78uE4kGPBqepphX+PhOJ0Li4uhssT3Lp1y2g06vV63Ej1en1fXx987tvT01NYWMiszzB7/BHNQmfPnk1PT5+ZmcnNzQVfEU9MTMBPkwizllJK34Nj8/Pzq6qqRDUh38eQRQgPRxYgwrXnHYssaW4RFPfGVaEnm1S0dDzBzl4oiYNc2INsauGm0NprZJi4HljMSgFk3+Hqm4negsO/GUzReymHExCOhaAq0r+4Cv8E3XCrYyDPrIWFBbAAB8uy7e3tBQUFuJaA7Ozsixcvwv2wqM+6C7PHHvHvYxoaGnp7e6Ojoz/66KP09PRjx47t3r1buN4c4NNPPz18+PDY2Nji4uLS0hKo88owjFKphG+PaLVaUBUc8Mtf/rK3t/fs2bMeJkc+BBFI4uPjvRP01Vdf2e32xMREsLm0tATrziqVSu7LNpGRkUVFRdnZ2cBimZmZP/jBDxgxk8bGxqakpAwMDGzfvt1mszU2NqakpDx8+NBgMOzZswesfIWzsxdKeoGnpmYw1l4Lw8T1MD8/Pzc3l56ezmtP9t3s7Ozi4mJSUhLYTE1NBZch6cjl8ieffBIePj097dHhSJBjIaiK9O/s7CzDMFzdvBBKIDg4OD8/v7u7++c//3lXV1d5eTm5vV6vv3Tp0iuvvHLp0qX8/Hzw2GbdhdlGQGSct2/fnpube+aZZxiGiY2N7ezs1Ov1oAgSsr2nlbQXFha6urouXLhQXV1dWFgYHh7u3TC8wOti3eSS5jyEVegbGxtFTSq6BoGonT1ScgVAWnstDJPcA2+lAE9PhzWFR+tErIrQ4uLi06dPl5WVDQ0NdXV1kRsXFhYCs1+6dAkmpHUaZo855NsccIMMiyuzLFtZWckwDHzUyb2j9KL0vUwmA4/BdTpddXU1WRlcXXSyCH/MlSlRJc1FZy1gbXyySVmx0vES7eydkhApVehZYgFQUWuvhWHiemAxKwWQfYebgJIYuhZMEXvpkY8DORaPpvVwFf4JugmFIocM/3a5XCqV6uTJk3DNQMI5yLJsWlqawWAARb7BnvUYZo894s9jqqqqdu7caTKZ7HZ7Z2cneIPi3XffBb/yKvx7XfrebDbL5fLR0VGyMsi66BJF8FRFwi0MTjgWWdJcGHC4KvRkk0JLklcoENrZOyU9tbbEHCPF2mtkmLgC9cjFHUR9h1sLABe63OFY8EXspRxOADkWpKqE5yu4Cv843ZBChUPmiistLQ0LC/vTn/4EpRPOX/CCH3eJEBxrOcwee8RzjMvlqq+vT0xMlMvlYAWkyclJhUIBI4Zb4d+X0vc1NTXPP/88WRlkXXTpIniLESCBhcEJxyJLmgsDDleFXtSkrFjpeKSdvVPSU2tLNLVEa6+FYeIK5iMXdxD1HW4tAFzocodjwRexl3I4YYzIsXj0mjWLr/CP0w0pFDlkuL+7u1vJWSuafP4ajUZG7KVtwFoOs8eeJ1iWXb2JOgqF8v9MTU2lpaVJLMVEuXfvnlqtttlsPr7DQvErG+a5E4VCeby4cuVKTk4OTTBrnLX4/hzuc8jJyUl/19DcgGwQa6/rYd64caOjo+P3v/89rsGDBw/27dt35coV5NtK62KMnjI/P3/69OmSkpLVVuQR1nWY+Ym1mGPANKuQDeskv7JBrL2uh1leXk6+mAYGBgYFBeXm5ra1tQl/XRdj9BSNRqPT6fbt27faijzCug4zf+H1k5xr165lZGQoFIrs7GzR98F8xOJtkVeHw9Hc3CzaOeH9SB+BHXo3hGXXh7Iu4Mat3W4PCAiA1SLMZnNeXl5YWJhGo6moqIDVt0ZGRsAH6l6IoFD8h/fPY0pKSpqamsAnSxUVFcuY9pYRcCJJb5+QkGC32/2nj6esNX0oKwM3bp1Op0KhgOWH8/PztVqt2WweGRlxuVwHDx4E+1UqldPp9E4EheI/vM8xj2uF8+WtJS6TyVJSUrh/rK4+lHXN/fv3a2pqPvjgg9jY2Pj4+Pr6+v7+/tVWikIhInqn40WFcwuxRDmvFDbuewLfC4n7Us8f/o0scu5jme7e3l6JDbhTbVAZhUJRXFxst9vr6urUarVKpSovL4fl9mw2W35+vlKpTExM5H7EwEW44gDSNTjXI0Eu68DF00ryEqupSw8qZEshvkevRGfhBOGq3/NYXFw8fPgwrGmPa4YMNim16yWaWtTvlA2O+H2MdxXOcSXKhaWwcQXGfS8kLr3yOQ5ckXNcmW6J6wWUl5e/8MIL169fF/70ySefvPDCC8iCgE6n02g09vf3G41Gm82Wmppqt9tHR0cHBwctFgu3AHtQUNDExITBYDh37hxSAeSKA0LX4FyPHCZuWQeIp5XkpVdTlx5UwpbIsfgevRKdhRQkJW7//Oc/KxSKoaGhM2fOIBtAkMEmsXa9FFOL+p2y0RHNQl5UOCeUKGceLYWNK5q0XIXEpTwzJ9zHMKgi5yy+TDeyXJIQp9PZ3NysUqmKi4thsYrx8fHi4mKVStXc3Aw7597HMAwD/8fv7+8PCAiAn0MPDAxs27YN2g3aE9qNC3LFAWSVclxtdtFhwgLpEE8rybOSq6lLDyrkGIVj8T16JToLJ4iV8B7KwsJCX19fWlpaR0eHsNn09HRiYiL4Gxlswm6F1pZiah5Cv1MoIjnG4XDIZDLhXBC8+thsNrVa3dzcPDg4CEsAWSwWuVwOG4+NjYH0IzxbbDZbUFAQ3BwfHwcxarPZeD2QcwxOTx9zDFIWKHWu/gaVSgWTq0fMzc3p9XpYj08mk+n1enhh4ulASK7cTZ49od14lJSUZGRk1NbWtra2Xrt2Tdg/izcpjpGRkT179sTFxQGb8OTiHO2pkYV6Sg8qiS/p+R69Ep2FE8RKyDGAy5cv79ixQ9jM7XaDgo8QXrDx2iOtLcXUrJjfKRRJ38eslwrnK1O9nFCmW/p6Af/+978bGxv7+vqOHDkC9hw5cqS1tbWqqurIkSPf+ta3/KP7/xCuOFBXV4dsiTQpcpieLutAZsVqoQvHMjw87A9By8KDBw+MRuN3v/tdsJmcnGyz2YTNNm3aFBsbCzeFwcYDaW2JL/Isr98pjx8iOSY8PFylUt24cePpp5+GO1UqlUwm+9e//vXUU08xDPPSSy9VVFScOXPGZDLBNi6X64svvgArGo2Pj2/duhXZv0ajCQoK+vzzz8FaSWazGSzjo9FoGIbh9gBFLywsfP311+CbJqvVStDTT8TGxioUCphlueC+wOLxs5/97Pz585WVlePj41u2bAE733nnncrKyqNHj2ZkZJSVlRE+6iag0WgCAgKmpqYSEhIYhjGbzbiWzz777LPPPsswTH5+vk6nE+YYgkmFw7x9+7bNZvvVr34FNoXvW+McjYNgZFE8kiUci9vt9jF6pSNREGRpaWnnzp2zs7OggIqUQ5DBxgNp7ampKVH9Rf1OoYg/j/GiwjmuRDnyXhtXC31ZCon7Us+fMOPhY5nusrIyi8WC+9VisZSVlfF0kDj9wrJsUVGRXq+3WCwmkyk9PV04d4FccQDpGlxtdiTIAulcPK0kL7GauvSgkj5X5mP0Sp8rQwpiH43b6elp7pSaTqcrKSmxWq1Go3H79u3t7e1g/8TEBLfgP3yREhdsorXrJZpa1O+UDY6kd5c9rXCOK1GOjFEp7y77Ukjc63r+hCvFipXp9iLHzMzM6HQ68O7y8ePHhec8csUBpGsItdmF4AqkQzytJC+xmrr0oJKeY3yMXuk5BlfJn+XErcvl4i6MNjs7W1JSEhERodVqjx49CttfvHgxPT2dYBMh5Nr1Ek0t6nfKBscvtf1pifI1ws2bN59//vn//Oc/q63IemLFole6oDfffNNkMn388ce4Bvfv309NTX333Xdff/11j3qmUPzNWqyJSVkujEZjcnLyamtB8ZXW1lbyo77NmzefP3/++9//PtyD/MSKQll5NlCO2SBlt9977724uLiCgoLJycmGhobGxsbV1ojiK4GBgfBdMhzcBBMTE3Py5Ek/K0WhSGID5ZgNUnY7Nzf30KFDVVVVW7duramp2b9//2prRFlpaI07ytqBrrVMoVAoFH9B11qmUCgUir+gOYZCoVAo/oLmGAqFQqH4C5pjKBQKheIvaI6hUCgUir+gOYZCoVAo/oLmGAqFQqH4C5pjKBQKheIvaI6hUCgUir+gOYZCoVAo/oLmGAqFQqH4C5pjKBQKheIvaI6hUCgUir+gOYZCoVAo/oLmGAqFQqH4C5pjKBQKheIvaI6hUCgUir+gOYZCoVAo/oLmGAqFQqH4C5pjKBQKheIv/g/JVYuXnLgBLwAAAABJRU5ErkJggg==)
Screenshot: ![canna.ch vulnerability](/twimages/screen-1207513.jpg)
Mirror: Click here to view the mirror
Coordinated Disclosure Timeline
Vulnerability Reported: |
26 June, 2020 14:58 GMT |
Vulnerability Verified: |
26 June, 2020 15:14 GMT |
Website Operator Notified: |
26 June, 2020 15:14 GMT |
a. Using the ISO 29147 guidelines |
![](/images/done.png) |
— |
— |
b. Using publicly available security contacts |
![](/images/done.png) |
c. Using Open Bug Bounty notification framework |
![](/images/done.png) |
d. Using security contacts provided by the researcher |
![](/images/done.png) |
Public Report Published |
|
[without any technical details]: |
26 June, 2020 15:14 GMT |
Vulnerability Fixed: |
28 July, 2020 17:45 GMT |
— |
— |