logo
DATABASE RESOURCES PRICING ABOUT US

findingyourzen.com Cross Site Scripting vulnerability OBB-1222678

Description

Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[findingyourzen.com](<http://www.findingyourzen.com>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[XSS (Cross Site Scripting)](<https://www.owasp.org/index.php/Cross-site_Scripting_\(XSS\)>)** / CWE-79 CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **xav0 ** Remediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAASOElEQVR4nO2db0xT1xvHr1ikYEH5VxVQgWxIjGFkYQw3dEaNmq5hFREdY4qRKDPIGEHncHGM7YdG0WxMiS80UbdMszhCCDHMdGbpTOffrnYdQ4IGu1qYKwisYq2V+3txs5O7e885vZYWCjyfVz33nvPc53vOuefpPW2fTmFZlgEAAAAAPxA01g4AAAAAExaIMQAAAIC/gBgDAAAA+AuIMQAAAIC/gBgDAAAA+AuIMQAAAIC/CIgYk5SUdOvWLVIRmCTAuAPAxGPsY8xvv/02PDz80ksvYYvAJAHGHQAmJB5izL1798LDw7GnBgYG9u/fTypKp7m5OScnh1QcHT744IPQ0NDTp09T9JK4d+9eZGQkQ+0rwCPPNe6oz8ecwPGECaQZKPDkuRYH71Q8fPhwy5YtsbGx8fHxH3744dOnTwOnNwQE1JwZBbx/junv76+trSUVpTPmMaa3t7e+vv7KlSuFhYXz58+32+3e2RlJW2BM3lsAo4PXi4N0ioqKXC6X0Wi8dOmSXq/ft2+fXy8HSEc2tpfv7u7u6OhYtmwZtjg6OByOsLAwtEsTEhLitamRtJ3MjMm4AxOGx48fGwyG9vb26dOnMwxz5MiRgoKCkpKSsfYLYBiJzzFffvllUlJSdHT0u+++OzAwwDDMwMBAYmKiw+GYMmXK6dOn+cUjR46Eh4cfOnRo1qxZkZGRmzdvfvz4Mclyc3PzqlWrgoODBcW1a9ceOnSIO3jr1q2QkBDuugzDbN++/cUXX6Sc3bVrF735rl27kAO9vb18Iej5mntx+PDhpKSkyMjId955B1lgGOb+/furV68ODw9fsGDBt99+yx2U2La7u/vNN98MDw9PSko6fPgw99R87Nix1atXozp79+7dvHnzo0ePtm/fHhsbO3fu3E8//fTZs2eMaCdBsFO3f//+2NjYOXPmnDx5kmGYKf+Fa/LkyZOtW7eGh4fPnz//k08+4Zsl+Yx49uzZRx99NGvWrOnTp69fv763t5dhGIqfnMHp06dv2LCht7d3165dsbGx0dHRW7ZsefToEXYaXL9+ffHixaGhobGxsevXr79//z6lzzds2PC///0P2Vm8ePHp06exRugCsbqwHUXyhML169eXLFkSHh4eHx+/bt26P/74g2Kc5LlgZLEOc4jvVhJYyxTHBCpIU1GAYK0QXJ20UGBVkJqEhob++eefXIBhGKazszMuLo7vw++//x4dHf3zzz9zRbFG7A0oZRkRT35sr5LmDHZuTDA8xxiHw2E0GvV6/bVr12w22549exiGmTFjRnt7u0KhcDqdhYWF/OLatWsdDse1a9du3Lhx48YNg8Fw8OBBknHSRplardZqtdzBlpaW4eHh1tZWrqjVajUaDeWsSqWiN1epVOiK0dHRfCEC4SaTiRNusViqqqrQqdLS0oiIiLa2tgsXLmBXGXrbadOmdXZ2arXaM2fOcAc1Go1Op/vnn39QP+Tm5paVldlsNoPB0Nra2tzc3NDQQOpGdNH29naz2Xzq1Kns7GyGYZz/snv37o0bN3LVampqhoaGTCZTa2urTqc7fvy4R58RBw8e1Gq1Wq22o6MjLi6ura2NYRiSn9zMuXz5stFotNlsqampdrvdZDJduXKlq6uLb58/DQwGw7Zt23p6esxmc0JCQmlpKaXP8/Pzm5qauNfd3d1Go1Gj0ZCMUARidZE6yuPoC1Cr1UVFRRaL5fLly9nZ2XK5nGKc5LlgZLEOM4S7lYLYMskxrAopCNYKwdWxCwVFhce15fbt25WVlXV1dejIwMBAbm7ugQMHlixZwh0Ra8TegFKWEezkF/cqac543avjCZZKV1cXwzCDg4NcUa/XJycno1MKhYJfkytyTSwWC3e8sbExIyODe22xWBITE1ETh8OhUCj6+vrERZvNFhYW5nQ6WZbNzMysqKgoKCjgjEdERFgsFspZl8tFb+5yuQQakRCBCiT88uXLSLjb7ZbL5XyBM2fOfK62d+/eFbRlWTYrK+v8+fPIztDQkEKhQDWbm5uzsrKw3Y6uzjAM6kw+ZrN53rx5drudK8bExDgcDu610WjMzMyk+8xHqVQaDAb+EbfbTfKTYZj+/n5kMCgoaGhoiCvq9foXXniBey2YBnw6Oztnz55N6fOhoSFuPrAs29DQkJOTQzJCFyjWReookick+vr6ZDIZNxU9Gqd4LugfrMOUuxUL1jLWMawK0lTEnuIX+VcXLxT0NYe0tnBYrdbk5ORz587xL6pSqXbs2OFRo+AGdDqdHpcR7OQX9yppzpDmxgTD8+cxCoUCPRHHxcX19fV5bCKXy+fOncu9Tk1NtVgsqLler0fVLl68mJmZiZ6v+cU5c+akpKTo9fqFCxfabLZ9+/alpKQ8e/ZMq9WuXLly7ty5lLPBwcH05mhrTrrwhIQEJPzBgwcMw/AFPlfb4eHhpKQkcVuNRtPS0rJu3bqWlhaVStXf3+9yufg1ublLdxi7WbFt27b6+vro6GiGYR4+fGi32xMTE7lTw8PDMpmM7jNiYGCgr68vLS2Nf/DBgwckPxUKxYwZM5DBiIiI0NBQrhgXF4e+HyGYBr/++uvu3bvb2tpcLtfw8PDw8DBD7vPQ0FCVStXU1LRz587GxsaioiKKEZJArC5SR0kZfT6RkZF5eXlZWVnLly+Pi4vLyMh44403KKNA8pw/sliHUZ8/190qsExyDKuCblkKpIWCooLUhCMvL6+8vHzDhg3oyN69e1tbW0+cOOFRo+AGDAkJ8biMdHd3Yye/oFdJc8ZPvRpojOpn/lOnTp0zZw4q0r9RplKptFrt3bt31Wr1jBkz0tPTdTodekSln5VSIdDIzc3lHqtbWlrQWjlyjh07lpyc/NZbb3FFp9MZFBR048YNtKgFBT3fdwunTp3qK984BOOu0WiKi4uPHz8ul8utVuuaNWvozfPz848ePVpYWHjt2rXGxkbvjDAiXSPvKMTZs2dv3rxpNpttNltFRcVrr71WVVVFMi7dc58PBENVLVZRWVnpcwdGQnd3t8lk+uWXX9CRoaGhxsbGc+fOlZaW5ubmcu94SBqxN6C/lxFxr3711Vc+sRxA0B9zvHgcFjzPNjU1CZ5nOdxud0xMDHrMFBRZltXr9ZmZmTk5ORcuXGBZtqGhoaysbPbs2TabzeNZKRWwGvkqSMIFT75NTU3ivTJ6266uLq4o2GlZtGiRVqudOXPm4OAgaQ9qcHAwKCiIv+cjuDofq9Wampoq2AxRKBTYbRaSz3yUSqXRaOQfoeyVUQyiomDcHzx4IJPJUDWj0YiqYfucZVmn0xkVFfXFF1/k5uZSjND9EesidRTFEykYjcaEhASScSmeUxyWOIik+hxYx7AqSFMR64nHvTK0UNDXHMra4na7+QtIV1eXTCZra2tjWVatVpeWlnrUyL8BuSP0ZYS0VyYQK3HOoLkxwfA+xjgcDplM1tHRIShy8yAvL89qtZrN5vT09OrqamQBbT7qdLpFixah44Iih1KpVCqVXBOr1RoREZGeni7xrMcKyJPnjTEsy2o0Gr5A6TGGZdm8vDyNRtPV1WU2m9PS0vin9u3bl5aWplaruWJxcXFOTo7FYjGbzS+//HJ9fT13PDMzs7i4uKenp6OjIzs7mxJjcnNzz58/jz755w6WlJRkZWVxb50OHjxYU1ND95m/X1xbW5uZmWkymaxWa2lpqU6nI/kpMcaIx12pVDY0NPT393d0dGg0GtQK2+ccBQUFERER3333HcUI3R+sLmxH0T0R09bWtmbNmkuXLtntdovFUlxczI0vybhHzykO+yTGYB0jqcBORZZlBwcHZTJZe3u72+1m/7tW8O877ELhMcaQ1hb2v3OVb6e9vV0ul5tMJopGVnQDohGhLCPiyY/tVeycIfXqBMP7GMOybHV1dVhY2KlTp/jFw4cPKxSKAwcOKJXKmTNnbtq0CX3Sy7dWWVlZVVWFTAmKHAUFBXl5eaiYkZHBr0M/S6+AjSus5DhhtVpXrVqlUChSUlLq6uqeK8b09PSo1WqFQpGYmHjgwAH+KaPRyDAM6k+Hw7Ft27aYmJiEhITq6mrudmVZtrOzc/ny5QqFYuHChfX19ZQYg31mdTqd5eXlCQkJYWFhKpWKexdG+SoB/7jb7d69e3dMTIxcLtdoNNz3CLB+Sowx4nHX6XQZGRlyuXz27NkVFRWoFbbPOZqamrhvSVCM0P3B6sJ2FN0TMS6Xq7q6OiUlZdq0aUqlsrCwsKenh2Lco+cUh30SY7COkVRgpyLHnj17SIsD/+rihcLj3gl2bRHrFdgpKytbunQpRSMrugE56OuMePKTdhTEc4bUqxMMDzHGC7BdLCYlJeXKlSuk4iShvb1dqVSiosPhkMvl2G9YTVQm57gDrOSFYoRNnotJeAOOAmP2O//bt29TipMEo9GYnJyMihcvXszOzp5UuYwm57gDgckkvAFHgbHJuzyZs7h/9tlnJ0+e/Pvvv69evVpVVYUyXgwMDBw9ejQ/P39s3RNw69at9957j1Lh6dOnb7/99l9//SXR4EQd+lgC6Gd94FuAE5g34ARgDJ5jJnkW92XLlpWXl+/YsWPevHllZWWbN2/mjiuVSrVavWnTprF1T0BRURFKEIAlODh42rRplZWVX3/9tUdrE3joua18MYGQ+jeQfQscAvMGnAh4sb82wl3Rzz//nP89Qu+Q6AOX8FWKHY8fkPocX0kYoX3KFe12e1BQkOB3yE6nc+PGjXzLBoOB+zW+RwJq6AEAGAXGYK/MJ1ncJSbSH4Wk4l4TsBLQFbmM1Pxk0k+ePFmzZo3b7ebXj4qKcjgcUizD0APAZMObGCOTyVJSUry7ng+zuPskkT7SMhJRXjPu/gugp6dn5cqV/ISD0gm0oQcAYBTwJsbEx8ffvHmTe/3DDz94rM+vI8jijs1rLc5bLk6Xzc8rTsr4LUgqjnUVaYmPj7969apEUfwKWBV+kkDyjZQPnw8lpT/fK/4Vv//+e4GR+fPn7927l945pI4KtKEHAGAU8BxjxF9H4Z8tKipasWIFCjkCrl+/vmLFCn72Lf5uCSmvNTZvuThdNh9sxm9BUnG6qxJFiRVhVfhJAsk3Uj58PpSU/nyvBH/T4LGvSIzToQcAwMd4/MTGKoJ/1uFw1NbWRkVF5efno7wyLMt2dHTk5+dHRUXV1taiNNr8LO6UvNbivOXidNmCH+czhIzf/GokV8Vga2IVkVT4SYIUFSgfvqAhJaW/4EdnpIQFWM/FxXE99AAA+Bbf/M6/r69Po9Hw0/nJZDKNRoP+PoSjsbFx+fLlqLhx48b09PSKioq6urqffvqJO9jf3y+TyVDeFA7xYidYaORyOTrV1taGfjwvbih2VaIorCKsCn9LEPtmMBhWrlwZFxcXExMTFRUlTgPDZUeP+ZeoqCjOPilZ4UhizAQYegAAfMVI98oYhrlz5w6Xla+mpgYdrKmp0el0O3bsuHPnDjoo+FrR2bNnT5w4kZaW5nK5Kioqdu7ciU75I285yVWJNbGKGLIKP0nA+qbRaJYuXarT6YxG44ULF8RNUD5zo9FoNBpNJhPpNxMjZ7wPPQAAvsRjFKLvlZWUlCgUioqKCvQ3iwi73V5eXq5QKEpKSlhc9n4+/LzW4rzlHt/MMoSM3/xqFFcFkGoKFFFU+EkC1jdSPnxBQykp/QUHvXuOYcfz0AMA4FtGuldWWFjY9e+/oWDp6uoqLCxkRVncKXmtxXnLpSw02Izf/KTiHl2VKAopoqjwkwSSb9h8+IL86lJS+guuaLFY+DtRWM9Zlu3s7MT+fHU8Dj0AAL7F93mXSQiyuFPyWovzlntcaCgZvwV/QOBbSCpGWQIpHz4/v7qUlP6CK544cUIul4s/JBe0On/+fFpaGqWXJuTQAwAghSms6F9G/MSCBQvOnDnz6quv+tzyvXv3Fi1aNK4T/AWshPfff99sNv/444+kCk+ePElNTf3444+3bt1KqgNDDwCTltHLiQlZ3McjdXV19G8HhISEfPPNN6+//jqlDgw9AExaxia3PzBeCA4OfuWVV+h16AEGAIDJDMQYAAAAwF+M3ucxAAAAwGQDnmMAAAAAfwExBgAAAPAXEGMAAAAAfwExBgAAAPAXEGMAAAAAfwExBgAAAPAXEGMAAAAAfwExBgAAAPAXEGMAAAAAfwExBgAAAPAXEGMAAAAAfwExBgAAAPAXEGMAAAAAfwExBgAAAPAXEGMAAAAAf/F/iEy/WrEnPI8AAAAASUVORK5CYII=) --- **Mirror:** [Click here to view the mirror](<http://1222678.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 12 July, 2020 09:03 GMT ---|--- Vulnerability Verified:| 12 July, 2020 09:19 GMT Website Operator Notified:| 12 July, 2020 09:19 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 12 July, 2020 09:19 GMT Vulnerability Fixed:| 11 August, 2020 13:47 GMT ---|---