logo
DATABASE RESOURCES PRICING ABOUT US

boomarms.com Cross Site Scripting vulnerability OBB-1222304

Description

Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[boomarms.com](<http://www.boomarms.com>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[XSS (Cross Site Scripting)](<https://www.owasp.org/index.php/Cross-site_Scripting_\(XSS\)>)** / CWE-79 CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **haxmov ** Remediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAABLCAIAAAAphcDFAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAYbUlEQVR4nO2dcUwUV/7Axy3Cugwq67IiUF2JovEaSg1HsaWGtqQlhJAVKbWGKr0atITzOIKtRYvUttRDaqxtiGm8CxrvaprGIxwxnKGeJYZQ3NKFbjglyMEW121dENpVV1yd3x/v18l05r03s7O7sMD389fOm5nv+77v9zvz3Xkz8515HMcxAAAAABAENNOtAAAAADBrgRwDAAAABAvIMQAAAECwgBwDAAAABAvIMQAAAECwgBwDAAAABIuQyDErV67s6ekhLQKhzBQ7C2IDmNHMwQCe/hzz/fffP3z48PHHH8cuAqHMFDsLYgOY0czNAJbJMcPDw1FRUdhVExMTH374IWlROc3NzXl5eaTFYEMZICAL3VkBty2lu9ntxz//+c8LFiw4efKk8l1u3br12muvxcTExMfHv/XWW/fv32d+e5CSLDY8PBwdHU2RzO8ouyVlXxL37t175ZVXZF05Q92NApiuvEILzCDUX8eMj4/X1taSFpUzvTkG8IcpdtbcjI3R0dFjx451dnYWFRUp36u4uHhyctJqtV64cKGjo6O6upr57UG6YsUKl8sVFI3Vcu/evezsbK/XO92KBAvZAJ6VFpjmubIbN2709/dnZmZiF4FQZoqdNWdjw+1263S6xx9//JFHHlG4y927d7u7uz/77LP4+Pg1a9YcOXLkyy+/lG4WERGhQp+wsLCkpCThj0DhdDqzsrLq6+sDKDN0UBLAs9ICinLMxx9/vHLlyiVLlrz66qsTExMMw0xMTJhMJrfbPW/evJMnTwoXjxw5EhUVdfjw4aVLl0ZHR2/fvv3u3bskyc3NzS+88ML8+fNFi5s2bTp8+DBq7OnpiYiIQP0yDLNz587Vq1dT1u7Zs4e++549e0Rq/OUvf5Fqe/v27Z07d8bExDz66KPvvvvugwcPKO3o+vejjz5auXJlZGTkyy+/PDo6umfPnpiYmCVLlrz22mu3b99Gu1++fHnDhg0LFiyIiYl56aWXrl+/zu/+4YcfxsTELFu27K9//atPAp955pmoqKj4+PjNmzf/97//FY3uwYMHb7/99tKlSyMjI1966aXR0VH/RyHyHUUHafDQeydFjpLulPclGyFSj5BE+W9JiqdGR0eFB5pCsQsWLPjhhx8iIyOR2IGBgbi4ONExK5yxuX79+osvvhgVFbVmzZp//OMfUsWExMfHf/vtt+jHN998gxr//e9/0/cSboB1E8MwK1as2LdvH2VHEVg52OPrf//7X2Rk5HfffccwzOjoaHR09H/+8x/lPsK6+OWXX/7ggw94ZTZs2CCazBRpLjrXYZXHWoBuBNEG6gIvqMjnGLfbbbVaOzo6urq6HA7H3r17GYZZtGjRlStXWJb1eDxFRUXCxU2bNrnd7q6uLovFYrFYuru76+rqSMJJE2W5ubltbW2osaWl5eHDh62trWixra3NbDZT1ubk5NB3z8nJEQ3Q8itCbXfv3u1wOLq7u1tbW5ubmxsaGujtyFCXLl2yWq0Oh2Pt2rUul6u3t7ezs3NoaKiqqgpt1t3dXVJS4nQ6bTZbQkJCWVkZv/uVK1dsNltjY2NGRoZygbm5ucXFxXa7/dKlSxkZGVqtVmTkurq6tra2tra2/v7+uLi4vr4+/0ch8h1JB2zw0HsnRY5sdz71pSRCpB7BivLfkhRPLVmyRHigqRB79erVysrK+vp60TEr3KasrGzhwoV9fX3nzp0T5pgYCVKdEcXFxc8//zzKPSIuX778/PPPFxcXC80idZOvkklysMfXypUrq6qqysvLGYaprq7Oycl59tlnlRsT6+LCwsKmpia0wY0bN6xWq9lsxg4ZIQzgQBkB25eKwAsuHJWhoSGGYX7++We02NHRkZiYyK9iWVa4JVpEu9jtdtR+9uzZ1NRU9Ntut5tMJn4Xt9vNsuzY2Jh00eFw6HQ6j8fDcVxaWlpFRcXWrVuR8IULF9rtdsrayclJ+u6Tk5OiAUq19Xq9LMsODg6i9ubm5vT0dEo7kjM+Po7aL126pNFo7ty5w9tt1apVUvMODAzExsbyu/OmUC5wbGwsLCwMjZSE0Wjs7u4Wtvg/CqGzSDqQgofeOzZyZLvztS/ZCJF6BCsqsPEg9RT32wPNV7EjIyOJiYlnzpzBikK/vV6vVqsVmn3x4sX87iKkOiPcbndtba1ery8sLOzv70eN/f39hYWFer2+trbW7XZz1PMJdrwkyUrkcILji+O4ycnJtWvX1tTUGAwGp9Op3JgkF9+5cwediziOa2hoyMvLww6ZHwUfwLLKiyyg3LzKBzWVyOcYUSLh44+SY7RaLd/e19dnNBrRb6/X63A4+FVnz5597rnnSIspKSkXLlxwOp0JCQnj4+NGo9Hr9Z44cSI/P192rZINeLWx2jocjvDwcL69v78fBSupnWIo0WJ3d3dWVlZcXJzBYNDr9ahdGlXKBW7ZsiUlJaWioqK+vv7ixYvcbxkfHw8LC/N6vcJG/0chchZWB5I0Su+kyJHtzte+OLkIkXoEK8p/S/JgPSUS5avY9PT0Y8eO0UU5HA6R2aW6KWRsbMxsNoeFhaHFsLAws9nMn+9k9cdug5VMkYM9vhDoypU3iEJjUkJoy5YtSFpWVtbp06exQ0YIA1jWCFgLSI2A7UtF4AWbKb3n/8gjjyxbtoxfpD9RlpOT09bW1tLSkpubu2jRopSUlPb2dn4eg75WyQbThdls3rhxY3t7u9VqPXfunP8CP//88xMnTiQnJ09OTlZUVPzxj3+UbqP8drFCRM5SokOodReaERJAT924caO3t9cfXyifK2MY5tq1a2VlZe3t7QcPHkQtBw8ebG9vLy0tvXbtmmodsJIpUI4vp9Op0WicTqc/yghB02W3bt3q6upC8Ukasv+PRAbPvEGHnoLUXccwghmPpqYmfsZDiNfrNRgM/BWoaJHjuI6OjrS0tLy8vHPnznEc19DQsHv3bvTPUXatkg14tbHaqpgrU/L34aeffuL/hnAcZ7Va/b+OEWK1WhMSEkSNRqPRarUKW/wchdRZWB1I0hTOlQl9Idudr31xchEi9Yivc2Uq3Cf1lEiUT2K9Xq/IaErmypqamlTMle3atYtl2YqKCpfLJWx3uVzl5eUsy+7atUtWf+wYsZJJckjHF8dx4+PjsbGxZ86c0ev1fX19ssooCSGPx6PX648ePSqcHRENmZMEsIrrGIXmVT6oqUR9jnG73WFhYfzkIL+IzhQFBQUjIyM2my0lJaWmpoaXwE+jt7e3P/bYY3y7aBFhNBqNRiPaZWRkZOHChSkpKQrXym6A2ina7tixIy8vz26322y29evX85fY2HblrjUajQ0NDePj4/39/Waz2c8c09fXl52dfeHCBZfLZbfbd+zYkZubK7Qzx3G1tbVpaWm9vb0jIyPor5CfoxA5i6QDRRqpd6wvlHTna1+8L0gRgp2vwIryMx5kPeXPXJnorpXwmBWKMpvNQrOrOA0VFRUNDQ2R1g4NDRUVFcnqjx0jVjJFDvb44jiutLS0sLCQ47j3338/MzNTVhmFIbR169aFCxd+8cUXpCFzkgBWkWMUmtenQU0Z6nMMx3E1NTU6na6xsVG4+NFHH7Ese+jQIaPRuHjx4m3btvF3nITSKisrq6qqeFGiRcTWrVsLCgr4xdTUVOE29LX0DYRXXSzL1tXVSbV1u90lJSUGgyEhIaGmpoafKMe2K3dte3t7amqqVquNjY2tqKjwM8dMTk7W1NQkJSWFh4cbjcaioiKn0yna1+v1vvnmmwaDQavVms1m9FfIn1GInIXVgS6N0rs0cpR052tfCCURIgQryh9LKvGU6hyDPaHwx6xQ1MjIyAsvvMCybFJSUn19ffBOQypyjK9ysMeXxWJhWRZdq3k8HpPJdOrUKeXGpIRQU1MTy7L8SQOLKIBV5BjlzLwcowKFBkpKSurs7CQtAqFMkJxFihyIDWBGM8cDeB7HcYG9wTM8PPzYY4/98ssvgRULzHogcgBg9jH9dZd9ZQ4Wxw4sPT09b7zxxnRrMdu4f//+K6+88uOPP063IgAQWsywHDM3i2MHluLiYpPJNN1azDbmz58fHh5eWVk53YoAQGgR+ByzYsWK4E13BLbyrurvEajeUR2otDsqBOenqNHR0d7eXlRUQ4SKUu2BRWHkBNX4lIr3ssYvLy/n69NQ+Prrr5944onIyMgNGzZ8//33fmqlxGXYcvEq1Ag1piViRZ36asYZ+lUCv5juG0K+kZaWdv78+UBJU/38hj8PfviKy+XSaDRWq9Xr9dJrxiiBovm0PHOigqAanyJc1vgKFYuNjW1qahobG6upqcG+Oqa8dyUu83g8mZmZBQUFIt3UqRFSTEvEijr11YxTeeoIEWbSXNncrO4uLO2urhg7EBACZXyv15uamhodHZ2amjo5ORns3knl4tWpAYgAM8ojm4W6urrS09O1Wq3BYEAvaqFUXFtbazAYYmNjT5w4wf36iL1Op0tMTDxy5Aj28X/RXwCPx/OHP/yBZdnly5dXV1ejp86xjYjjx4+jt6g46ksJ9fX1JpNp8eLFW7du5Yv5dHV1ZWRksCwbFxeXn5/f19c3Pj7OGwG94iMdKS9TOFjpjli8Xu/evXuNRqNOpysoKOBf0JVqTlFb+BUp9OIRb0mRVkIhOp2usLDQ5XJVVlaiqk3FxcV8UUKhR4QvRtTW1sq+ECAdFMnFCvUheZxkE7rxsTZX/Z6TzWbT6/XSFyFJISrcprW1lRQY1dXVycnJpaWlycnJNptNtNbhcOTk5LAsazKZ+FdVSO+yCF1GR/r3ma6Gckdz5GgUnSJI+OQ10vAp5w26KYQDkZ4l6J3KmlEqEPV+9OhRk8mk1+uLior4gx07ZLPZXFdXhzawWq3h4eH89iUlJZWVlRTDhgjy1zHYWtnSsueoPPiVK1fOnz/f2NioJL0dPHjwzp07vb29ra2t7e3tx48fJzUihDdjKAXVe3t7UdFsu91OKYAvLXWusOq+dEdsWSdsRX2S5iS1haXdN23aJLSe6m8BCCEVdSeZlzQoLAr1IXkcaxNKgXqSer5+owExMTGRn59/6NChZ555RtQLJUR5KMXYUWGSxsbG1tbW3/3ud6K1ZWVl4eHhAwMDbW1tp06dku7ufx1+JWr45GiGEI2iFhI+eY00fJJTfDIL6RMVpE5lzTg1H6EIdXzKSKhW9hCu7Dm2PDj9OsZgMPB/Zq1Wa1paGqmR+21xbHrBK75o9qVLl1DRbErxedLcKKXqvnRHbFknbJ12rOYktUV9id73ZlR9C0AohOQ1SoEm6aAo1zFK9OEIHqfYhOI15V8xkK0zlpOTU1paih0mKUSF22CLsXMch0p5Op3OzMzM7OxsjuMGBgaEhcm1Wi2vlfQ4Ul2HX2Q0uhpYS9KvY7DRKDpqSPjkNdLwSU6RmoU0ENJZgtIp3YxT8xEKJRaeXuRzjLRWtvQgJ5UHp8Tl2NgYwzCGX9Hr9UajEduIthcWx1ZRUF1J8XmFVfdJjUJIddqxmsuWf8DmGHW1Z4SbkbxGMi92UPS5Mll9SB6XnZnhJPj0FQN6CFVVVWk0mr/97W/SYVJCVKqYqBg7JzifOhwOg8FQW1vb2dnJF0kTaSU9jlTX4RfpRlfDJ0djB678zravXsMOn+IUWVPIniUoNqebESuQ1Lvqj1CEPmGyFzpms3nHjh3Hjx/XarUjIyPZ2dkBuX7yeDwajcZisYSF/b8OGo0G24h++PnU8ueff/7tt9/abDaHw1FRUfHUU0998sknom1Uj1R6AT4wMMAEoaJ+KBDYQVE8rg7/1btz587Zs2fPnDlTVlaWn5+/aNEi4VrlCl+7dq26ulpYjP3mzZtjY2NPPPEEwzDLli1rbGw0m80Wi4U+laQQaRDevHkTu6VCNaYyev3si+IUqVksFgtJjpKzBI8SM0oFqniDCn2EYnBwMKQ+QuED9BSErZUt/ZNCKg/+888/azQa4YyH8G8Xy7LS2SRso/RDAPSJDgTp0UZs8XnlVfeljaS5MmmddtJc2bRcx5C8Rp8rEw2K5GKF+nAEj6u4jsGqp2KuLCwsDN3szc3NLSsrk3aKVVi0DbYYOzK4cOqspKSEYRj+XjHaYOjXCruyc2XK6/BL/U5RA2tJyrHsz3UMti+Fc2XC4ZOcIjUL/aTEw58lKIeJrBmlAkmBrfojFKGP/FyZtFY2NoBI5cHT0tJ27NjhdDr7+/szMjKE7ty1a1d6ejpK8nV1dQcPHiQ1Siv/+1RQnVR8XvR5AoVV96U7YsHWacdqPpU5xm63Cy/8SV4jFTPHDgrrYuU5Butxyu4i46v7igGpXdjvlStXtFptb28vJ8kfUoU5jhsYGOCVJBVjLy0tfeqpp2w2m8vlamxsRI9d7d+/n9+goKDAbDYPDQ3ZbLbk5GSpMdXV4RfZU1YN5Y6WCse2UPDJa6Thk5yCBTsQ0lmC0indjFPzEYrQRz7HSGtlYwNI+OyysDz4wMDAc889x7LsunXrjh07Jnp2uby8PCEhQafT5eTkoByObZRW/vepoDqp+Dz3288TKKy6L90RC7ZOO1bzqcwxHo9H+OeLVNSd8uyydFBYFyvPMViP03fHFqgnqefPNxp27969ceNGUTtWYY7jvvzyy+TkZI6Kx+PZu3evyWTSarXr168/ffr04OCgTqfj/4I4nc7c3FyWZU0m06FDh+jPLiuvwy8al6wayh0tFY5toeCT10jDJzkFC3YglLMEpVOKGafmIxShT+DrLjMMMzw8nJKScuvWrUAJXLNmzalTp5588slACZzL/OlPf7LZbF999dV0KzKruHfv3tq1a/fv3//6668HSubVq1c3btwIdTaBGY38Pf9Q4OrVq9Otwuyhvr7earVOtxazjYiIiNOnTz/99NMBlGm1WhMTEwMoEACmnpmRY4AAMn/+/N///vfTrcUsJCAJ5r333ouLi8vLyxscHKyqqqqurvZfZihAevlxcHBwztWInGNAjgGAECIzM7O8vLy0tHT58uW7d+/evn37dGsUGEiXzpBgZj3q78dMTEw0NDS8/fbbgVUIAAAAmDWozzHwZVwAAACAzkyq7Q8AAADMLFTmmImJCZPJ5Ha7582bt23bthdffJFftW/fvu3bt6PPvR0+fHjp0qXR0dHbt2+/e/cu2uDevXuvv/56VFTUihUrDhw48ODBA1IvmzZtOnz4MPrd09MTERExMTGBFnfu3Llnzx51ygMAAABTg8ocIyyx/sEHH7S3t/OTZs3Nzfn5+QzDuN3urq4ui8VisVi6u7vr6urQBsqrcM+GutYAAABzmMDcj9mwYUNlZeXmzZtRo8vlcjqdJpPJbrc/+uijDMP885//rK2tvXz5MsMwMTExQ0NDkZGRDMP09PSUlJR88803DMNcv35d1IVGo1m1atXY2FhERMSTTz6ZkZHhdDr//ve/Dw8PJycnu1yu+fPn+zN4AAAAIKgE5tlls9nc0tKyefPmlpaWnJwc9F1YrVaLEgzDMGvXrrXb7QzD3Lp1y+VymUwm1P7w4UO+VGp8fLxUclJSUkdHx7p16xwOR3V1dVJS0oMHD9ra2rKysiDBAAAAhDiByTH5+fmoonVLS0txcTFlS5+qcN+8eXPG17UGAACYwwQmx6xevdpoNH711VednZ1ffPEFavR4PD/88AO6lOnv71++fDnDMMuWLdPpdPx3F4Rg39LKzc0tLy+PjY3dtWsXwzBms7mpqenixYtHjhwJiOYAAABA8FB/P+b27duLFy/u6+tbvXo1wzAHDhxoampavnz5v/71L4ZhhoeHTSZTQUHB0aNHx8fHi4qKzGbzgQMHGIZ54403rFbriRMn9Hr96dOnPR7PO++8Q+lo6dKlDMPY7faIiIjr16+vW7cuMTHxu+++U6c2AAAAMGWofz8mMjJy//79KSkpJ0+eZBgmPz+/t7e3oKCA34Bl2dTU1PXr12dkZCQnJ7/55puo/ejRo+np6dnZ2atWrbp48WJRURG9o6ysrI0bN6J7PPHx8UlJSTBRBgAAMCMIWG3/27dvGwwGh8MRHR3NQBUAAAAAIIDv+Z8/fz4jIwMlGAAAAABgZO/5K6zIPTEx8emnn27ZsiWQqgEAAAAzHJkco7Ait9FozM3N3bZtW8D0AgAAAGY+QfnWMgAAAAAwUHcZAAAACB6QYwAAAIBgATkGAAAACBaQYwAAAIBgATkGAAAACBaQYwAAAIBgATkGAAAACBaQYwAAAIBgATkGAAAACBaQYwAAAIBgATkGAAAACBaQYwAAAIBgATkGAAAACBaQYwAAAIBgATkGAAAACBaQYwAAAIBgATkGAAAACBaQYwAAAIBgATkGAAAACBaQYwAAAIBg8X8Noawxrh7bywAAAABJRU5ErkJggg==) --- **Mirror:** [Click here to view the mirror](<http://1222304.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 12 July, 2020 02:54 GMT ---|--- Vulnerability Verified:| 13 July, 2020 09:12 GMT Website Operator Notified:| 13 July, 2020 09:12 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 13 July, 2020 09:12 GMT Vulnerability Fixed:| 14 July, 2020 02:18 GMT ---|---