Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:
      a. verified the vulnerability and confirmed its existence;
      b. notified the website operator about its existence.
Affected Website: |
arsart.com.pl |
Open Bug Bounty Program: |
Create your bounty program now. It’s open and free. |
Vulnerable Application: |
Custom Code |
Vulnerability Type: |
XSS (Cross Site Scripting) / CWE-79 |
CVSSv3 Score: |
6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] |
Disclosure Standard: |
Coordinated Disclosure based on ISO 29147 guidelines |
Discovered and Reported by: |
xav0 |
Remediation Guide: |
OWASP XSS Prevention Cheat Sheet |
Export Vulnerability Data: |
Bugzilla Vulnerability Data |
JIRA Vulnerability Data [ Configuration ] |
|
Mantis Vulnerability Data |
|
Splunk Vulnerability Data |
|
XML Vulnerability Data [ XSD ] |
|
Vulnerable URL:
![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAJIElEQVR4nO3cXUhT7x8A8JPOnHo2HW7zpYkuYkpISYxlYRQRJiIySQnM3ki0C5EQFfOilhcamkEF4kWBdlF3ISNEYnQxxgi1NddYNkJ0zCUyl7OjrTV3fhfP/384nJ1zXLZZ6PdzdZ7j8/p9Dvtuz4b7SJLEAAAAgDhI+NsTAAAAsGtBjgEAABAvkGMAAADEC+QYAAAA8QI5BgAAQLxAjgEAABAv/26OUSqVMzMzXEWA7O6w7O7VAbAX/KM55uPHj+Fw+OjRo6xFgOzusOzu1QGwR2yRYxYWFkQiEeuf/H5/X18fV/EP6fX66upqruIOiO1y/hzrRuxkWHieBLoYPhWsq1tYWJBIJNF3Ek39KJcGANiG7X+OWV1d7e3t5Sr+ob+eY2K7nDjZ+bBsKYZPxY6tLj8/3+v17sBAAOxB/+JZ2devX51O55kzZ1iLANndYdnh1SUnJ+/MQADsNVHlmEePHimVyszMzMuXL/v9fgzD/H5/QUEBQRD79u0bHR2lFx8+fCgSiQYGBrKysiQSydWrV3/8+IH6mZqaOnXqlEgkOnDgwIULFz59+sQ6nF6vLy8vT0pKiixOTU2dOHEiJSVFJpPV1dUtLi5i/z/r6Ovrk8lkOTk5z5494xoryuaM1TGmt7m5efv27aysrLS0tLq6upWVFQzD1tfXm5ubZTJZXl7evXv3Njc3qZ4HBweVSmVaWtrFixdXVlY6OjpkMllmZub169fX19cZnaMmrNHjihJ9FIlEcunSJbRHGIb9/Pnzxo0bIpEoPz//7t27aFY1NTUDAwOowszMTHJyMlW/ubm5o6Mjmp1i7ZnnqRgdHWVtwrp3jE1fXFw8f/68SCQqLCx88eIFNQfWmPPUZ919DM7KAIinrXMMQRBWq9VsNk9OTno8nq6uLgzD0tPTZ2dncRwPBAINDQ30Yk1NDUEQk5OT09PT09PTFoulv78fdVVVVXXt2jWXy2UymcrKyoRCIeuIPAdlFoulqalpaWnJbrcrFIqWlhZqkrOzs3a7fWRkpKysjGusKJszVseYXn9/v8FgMBgMTqczNzfX4XBgGNba2urxeCwWy8TEhF6vHxoaokfPZDJZrVaPx1NUVOT1em0227t37+bn57u7u1kDzho9nigRBGGz2dAeuVwuqtuenp6NjQ2bzTYxMWE0GoeHh1FkDAYDqvD69etwODwxMYGKBoOhsrIymp1i7ZnnqWhoaGBtwrp3jNW1tLSIxWKHwzE+Pk7PGVwx56rPtfsAgDgiec3Pz2MYtra2hopms/ngwYPUn3Acp9dERdTE5XKh+69evVKr1SRJ+nw+gUAQCAQiR3G5XAUFBeiaIAgcx30+H2uR7suXL9nZ2dSI9Do8Y0XTPHJ1dHK53GKx0O+EQiEcx+fm5lBRr9eXlpZSPa+urqL7JpMpISFhY2MDFc1m86FDhxidc0WPMR96WBh7ZDKZqD2SSqUEQaBrq9Wq0WhIkvR4PKmpqSg4Go2mra2tvr4e9SMWi4PBIGv0GBNg7TmyGr3I2oQ1+PTVhUIhoVBID0hGRgZPzLnqM1C7HzlnAEAMCbZMQjiOUycJubm5Pp9vyyZCoTAvLw9dFxUVuVwuDMMkEkltbW1paenZs2dzc3PVavXp06epbs1mM7p+8+aNRqOhfgvEKH748KGzs9PhcASDwXA4HA6HqUnSfz7ENVaUzXn4/X6fz3fkyBH6zeXl5WAwqFQqqSWjl07Uc3p6OrpWKBRisTglJYVaNetXzazRY2CEhb5HCoUC7dG3b9+8Xm9BQQG6Hw6HBQIBhmE5OTkqlcpsNh8+fNjj8dy5c0elUm1ubhoMhnPnziUlJfHsFMLVMw+eJpHBp69ueXkZwzB6QNAFV8y56mPcuw8AiJ+tc0wMvXz58v3793a73ePxtLW1nTx58smTJxiGJSYm5uTkoDr8vyjTarWNjY3Dw8NCodDtdldUVPzWWNE355eYmLi9hrESzW+uAoFAQkLC9PQ09WqekPC/o9HKykqDwTA3N1dVVZWenl5SUmI0GqmDMowteu3t7dH0vI3JbG912xCr3QcA/Ab+jzmRRx/UyUOUZ2VjY2PotIfBarUqFArGzVAoJJVKqQMQRnF5eVkgENB7QJPZ8qwDjfVbzfnPyqxWK2PaXGdlXNGLLFI3WaNH74oRFp5RcBxnHOshZrNZo9FUV1ePj4+TJDk0NNTa2pqdne3xeCIro+gxRuHqmeesjLVJZJwjnwH62dfY2NhvnZVR9bl2n3UOAIBY2X6OIQhCIBA4nU5GEb1K1tbWut1uu91eUlKi0+lIknQ4HBUVFW/fvvV6vS6Xq7GxsaqqiuoZnf4bjcbi4mLqJqNIkqRcLh8aGlpdXXU6nVqtlitJcI0VZfPI1dG/nOjt7dVoNDabze12t7S0GI1GkiQbGxurq6tdLpfdbj927Njjx4/5o8coUv1zRW9tbU0gEMzOzoZCIUZYeEa5efNmaWkp+jjS39/f09NDj6RcLkfjut1usVhcUlLCEz36BHh65noquJpEBj9y07VaLT0g1OpYY85Tn3X3uR4AAEBMbD/HkCSp0+lSU1NHRkboxcHBQRzH79+/L5fLMzIyrly5gr7lDgaDOp1OpVLt379fLpc3NDQsLS0xRmlvb+/u7qb6ZxRJkjQajWq1WigUZmdnt7W1cSUJrrGibM5YHaNCKBTq7OyUSqVCoVCr1Xq9XpIkCYJoamqSSqUKhUKn06EX4ihzDL0auo6MHkmSXV1daD6MsPCMEggEbt26pVAoUlNTKysrqXf9JEnW19fX1tZSRbVaTfXJFT1qAvw9sz4VIyMjrE0igx+56W63u7y8HMdxlUr14MED+rucyJjz1GfdfdY5AABiZR9JkrE9fFtYWCguLv7+/fs22hYWFj5//vz48eOsxb0gmujt7rDs/Or+5IkFAPDb0e/8t/T582eeIkB2d1h29+oA2Gv+xf8lA8CO+fXrl9lsVigUf3siAOxO/9bnGAB2WFNTk16vf/r06d+eCAC7U+y/jwEAAAAQOCsDAAAQL5BjAAAAxAvkGAAAAPECOQYAAEC8QI4BAAAQL5BjAAAAxAvkGAAAAPECOQYAAEC8QI4BAAAQL5BjAAAAxMt/Vq4w+WiZC5kAAAAASUVORK5CYII=)
HTTP POST data:
![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAIhElEQVR4nO3cb0gTbxwA8HOeuvRGOrdpbqFCSK/MFxZFFpESFRKD0DSkFoGZqIxhUfaiZaDhH3oT1QsDg6A3IbEXYTAoloiljXPOfzNl6s8/xTYUTjttdr8Xx+8Yu+3u3LxN9/t+Xu2ee5677/fhad/ds1kcRVEIAAAAIAJJtAMAAAAQs6DGAAAAEAvUGAAAAGKBGgMAAEAsUGMAAACIBWoMAAAAscR+jcnNzR0eHo52FEAsw8PDt2/f5ujw58+fysrKnz9/CrwgLBgAdlCM15iRkZG/f/8eOXIk2oEAseh0upycHI4OCQkJiYmJjY2NQq4GCwaAnRWFGjM7OyuTydiveTuHwGQyXbp0KeTh24phdXW1tbVVyHVmZ2fT0tLCjGpbdiqF3cA3SLfbbbPZ9Ho9c3ZjY6OystIvWb1ebzabhVw8/AUTS1MNQPiiUGOys7NdLldk7rUjNUZgwCsrKy0tLWHeSyQxkALDN0iCIJKTk5OSkujDjY2N8+fPe71evyFyuZwgCCEXD3/BxNJUAxC+6OyVMW8KvFAUzcvLC+0uS0tLDofjzJkzoQ33JTxgDkwu4SQVsh1JYZdbXl4uKSnp6OgIbfhOLZj/w1QDIBB/jdnY2Lh586ZMJsvOzn748OHW1ha9G9DZ2Zmbm5uSknLlyhW3233nzh2lUpmenn7jxo21tTV67ODg4IkTJ/bt26dUKsvKyhYWFpBtbn+p1erv378zhx8/fuTu79vBZDKdO3cuISGBjuTUqVMymUytVl++fHl8fJzus7W1df/+/YyMjJSUlLKyMrfbTYfX2tqqVCoPHDjw6tUr9uZee3t7RkZGWlra9evXf//+jSDI6upqTk4OQRBxcXGvX78OGCqTi1qt/vr1awgZBcwikikEG8u+I4Iga2trt27dUiqVBw8efPTo0dbWFtOTd/EID9JXdnb2gwcPuOcz2NwiAhZMJKcagNjAX2Oam5vX19dtNltvb6/FYnn58iWCIARB4Dje19eH4/ji4uLhw4ddLpfNZhsYGHA6nU1NTfRYq9VaXV29vLxst9s1Gk1dXR33vZQsfh10Ol1xcbFv1WEMDg4WFxfrdDqmxXffo7S0VKfTzc3N9fX1FRUVSaVSur2trc1sNpvNZofDkZWVNTY2Rmc3MTFht9u7u7uLior8bkQQxLdv34aGhoaGhqxWa1tbG4Ig+/fvn5iYwDCMJMmqqiruUEPOKGAWEU4h4NiAd2xoaFhcXLRarb29vSaT6fnz50xPIYtHYJChYc8tImDBRH21ALD3UHwUCgVBEPRrHMePHTvmdDoRBFlZWaEb+/r6JBLJ+vo6fdjf33/o0CH2dX78+JGZmUlRlNPpxDCMbvR9TVHUPyx+FyEIoqWlRS6Xl5eXOxwOutHhcJSXl8vl8paWFiZUgiAwDPN4PBRFeTweFEVJkmRHpVKprFarbwudHT2QHSR9dm5ujj7s6ekpLCwMmEvAUNmEZxQsi0imEGws+45erxfDsJmZGfrQZDIdP36c6cm7eAQG6RdwsEbfloBzSwlbMFFfLQDsOTw1xuPxIAii+I9cLlepVH7/PJxOZ2pqasBDq9VaUlKSlZVFj6Xbed8jeHk8Hq1Wi6IofYiiqFarZd62aD09PWfPnmUOKyoqCgoKDAZDR0fH58+f6caVlRUURb1er+9A7ncop9MplUqZU2NjYyqViiMXv1DDyShgFhFOIdhY9sDFxcXExETm0OFwsD9hUMEXj8AgQ6gxweaWd8HsntUCwB7Cs1dGkqREIhkaGsJxHMdxm82G47jwhyStVnv69GmLxYLj+IcPH3j78+6VIQgyPT1dV1dnsViam5vplubmZovFUltbOz09zXTz+4HQ27dvu7q68vPzNzc3DQZDfX09cyo+Pl54RtvCDlVgt4AZIcGziHoKe0iwuRW4YGCqAdge3iqEYRh7f0DIR9Ffv375fiLDcZz3OYZ3r6ympgbDMIPB4HK5fNtdLpder8cwrKamhqIor9erUCiYjRo/OI5rNBr6tUqlwnGcIzt2wIjP7sf79++D7X4ECzW0jDiyiGQKwcay78ixVybwOUZIkCE8x1CB5lbggon6agFgz+H/zr+qqqq2tnZ0dHRpaam9vf3x48cCq5dSqZTL5S9evFhdXZ2amjIajew+crmcJMnJyUn6R0dqFr/+BEHY7fbOzs709HTf9vT09KdPn9rtdvrPIPr7+zMzM3Nzc+mz4+PjFy5c+PTpk9vtnp+ff/bsWUFBAX1Kr9dXV1ePjIwsLCzU19d/+fJFSGoGg2FhYWF0dNRoNJaWltKNCoWCJMmpqSnuUEPLiCOLyKcQcKyf+Pj4iooKvV4/Pz9P97x69aqQwLYVpEQiYf81DJvX60VRlDlkz63ABRP11QLA3sNbhUiS1Ov1Go0mOTn54sWLMzMzwr+PsVgshYWFUqk0MzPTYDCwn2Moirp3715ycnJ3d/eO1U2KamxsbGpqYg43NzeNRmNeXl5iYqJKpaqqqlpeXqZPeb3eu3fvKhQKqVSq1WpdLhfvJ1MMw548eaJSqVJTU69du8Z8X01RlNFo3PFceLOIZArBxgZ8niAIorq6WqFQaDQao9FIf5Mh/DlGSJAkSUqlUr8vydnBvHv3Lj8/n2NuBS6YPbRaANgl+GvMXpSXlzcwMCDGlUP7kcKuEk4KEUtf+I0aGhp8v6tnI0kyJyenq6uLo49ICyYGVgsAYUL5n3T2oMnJyWiHACKko6OD+3coSUlJb968OXnyJEcfWDAAiCTG/99lEPMSEhKOHj3K3Ye7wAAAxAM1BgAAgFjiKIqKdgwAAABiEzzHAAAAEAvUGAAAAGKBGgMAAEAsUGMAAACIBWoMAAAAsUCNAQAAIBaoMQAAAMQCNQYAAIBYoMYAAAAQC9QYAAAAYvkXis2s9JGDRHAAAAAASUVORK5CYII=)
Screenshot: ![arsart.com.pl vulnerability](/twimages/screen-1213732.jpg)
Mirror: Click here to view the mirror
Coordinated Disclosure Timeline
Vulnerability Reported: |
2 July, 2020 13:33 GMT |
Vulnerability Verified: |
2 July, 2020 13:44 GMT |
Website Operator Notified: |
2 July, 2020 13:44 GMT |
a. Using the ISO 29147 guidelines |
![](/images/done.png) |
— |
— |
b. Using publicly available security contacts |
![](/images/done.png) |
c. Using Open Bug Bounty notification framework |
![](/images/done.png) |
d. Using security contacts provided by the researcher |
![](/images/done.png) |
Public Report Published |
|
[without any technical details]: |
2 July, 2020 13:44 GMT |
Vulnerability Fixed: |
3 August, 2020 15:45 GMT |
— |
— |