Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:
      a. verified the vulnerability and confirmed its existence;
      b. notified the website operator about its existence.
Affected Website: |
nbparts.hu |
Open Bug Bounty Program: |
Create your bounty program now. It’s open and free. |
Vulnerable Application: |
Custom Code |
Vulnerability Type: |
XSS (Cross Site Scripting) / CWE-79 |
CVSSv3 Score: |
6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] |
Disclosure Standard: |
Coordinated Disclosure based on ISO 29147 guidelines |
Discovered and Reported by: |
xav0 |
Remediation Guide: |
OWASP XSS Prevention Cheat Sheet |
Export Vulnerability Data: |
Bugzilla Vulnerability Data |
JIRA Vulnerability Data [ Configuration ] |
|
Mantis Vulnerability Data |
|
Splunk Vulnerability Data |
|
XML Vulnerability Data [ XSD ] |
|
Vulnerable URL:
![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAIH0lEQVR4nO3dX0gU3RsH8HHbYrVZdVnX1LZSCZUQ6kLMQiu8MBEpM6Mg+0ciEUuElIhdJF6kWQYZhRcF1kV1ESJehHTRhYmEbTZt27YtIrqsJraZa5NtYjvvxfAO85udOTurbr4//X6uPOMzzznnObw+7FF6oziOowAAACJAs9wLAACAFQs9BgAAIgU9BgAAIgU9BgAAIgU9BgAAIgU9BgAAIuU/0WPS0tLev3+vNFyRVsMeAQCWv8d8+PAhEAhs375ddrgirYY9AgBQIXvM6OioXq+X/ZbP52tqalIaqtfd3X3gwAGlofr1LF5YW1jMSsh7XKRwF7a0JVWTbckPcXR01GAwLGFCAFgqC/8cMz09fe3aNaWhemH1mIha8BbCtYx7BAD4m5b5ruzLly8ul2vfvn2ywxVpNewRAICnqsfcvn07LS3NaDSeOHHC5/NRFOXz+VJTU1mWjYqKevjwoXh469YtvV5/48aNDRs2GAyGU6dO/fr1Sylzd3d3UVHR2rVrJUP+OqW1tTUtLc1gMBw/fpyfl3f9+nVJcj5edtI3b97s2rUrOjraZDIdOXJkbGxMiG9qajKZTMnJyQ8ePJDsiH+xoKBAr9dv3Ljx8OHDnz59UlMZyUVQ8DWO7B7Xr19/9OjRb9++Xb582WQyGY3GM2fO/Pz5k5CQXCLex48fjUbjq1evCKWQIJRL5ZlK/P79++zZs3q9fsuWLVevXv3z5w9hhbLBwYdFUdTY2Nj+/fv1en1mZubjx49DThf1vwiRas4dAFQK3WNYlmUYpr+/f2BgYHx8vK6ujqKouLg4p9NJ07Tf76+srBQPDx06xLLswMCA1Wq1Wq2Dg4MtLS1KyQkXZSzL2mw2fl63211fXy88t/5LnFxp0sHBwerq6omJCbvdbjabLRaLEO90Ou12e0dHR35+vmRHFEWVlpaePn3a7Xb39fXl5+frdDo1lQlJskeGYfr6+hiGGR8fz8rK8nq9Npvt9evXIyMjwpaVKJWI5/P5ysvLm5ubCwoKyKUQI5RL5ZlKNDY2zs7O2my2np6e3t7e9vZ2wgqVgiWHRVGUxWKJjY11OBzPnz8X9xilDP5/1dbWHjt2jBAZ8twBIAwc0cjICEVRMzMz/LC/vz89PV34Fk3T4kh+yL/idrv5552dnTk5OfzXbrc7NTVVeIVlWZqmp6amgoeSefv6+vh5lZITJhUbGhpKSkoS4oWpg3c0NTWl1Wr9fn+4lQkuS3x8vOyW+QzT09PCHjUazezsrJBw69athISEEvHxJSUl58+fV1q/uBTi/IRyhSyvbLaEhASWZfmvGYbJzc0lrDA4mJM7rPn5eZ1OJ16PUGTZDAK73b5582av16sUGfLcASAs2pBNiKZp4a4mJSVlamoq5Cs6nW7Tpk3811lZWW63W3i9v79fCHvx4kVubq5wlSQZiuc1m83CvErJlZ6/e/eutrbW4XDMzc0FAoFAICDkJ/wxksFgqKioyMvLKywsTElJycnJ2bt37+IrE7zHuLg4YY+xsbHR0dFCQq/XS86mVCKKoq5cudLT03P//n1xvFIp1MQolddkMgnvfv36VZLt+/fvXq83NTWVHwYCAa1Wq7RCQrDksCYnJymKEq8nZAZedXV1W1ub0WhUilRz7gCgXuges4TWrFmTnJwsDP/OX5SVlZVVVVW1t7frdDqPx1NcXKzyxSdPnrx9+9Zut4+Pj9fU1OzevfvOnTuLXMzf+Yuy2dnZzs7Op0+fWiyW8vJyoY2pKUW45WIYhvBdv9+v0WisVqvws16j0czNzcmuUDY4rI2TM9y9ezc9Pf3gwYPkyEicO8DqRf6YQ7j5UXlX1tXVJXuvMj8/n5CQMDw8LDskXxAFJ1d6Pjk5qdVqhTwMwwh5gi+ICLdGDMOYzWY1lZmZmdFoNOIrLKFiKveoMiGhRFqt1uFwcBxXWlpqsVj4ADWlIMSoOVPZGtI0PTg4KImRXaFssGxOyV1ZV1eXUDrZDBzHeTyerKws8YWbUqRY8LkDQFgW3mNYltVqtS6XSzLkfx5VVFR4PB673b5jx46GhgYhg3DT3dvbm52dLTyXDMk9Jjg5YdLExMR79+5NT0+7XK6ysjJCjxHvyOFwFBcXv3z50uv1ut3uqqqq0tJS8foJlcnNza2qqpqYmHC5XPn5+cJzlXtUmZBQIuG50+nU6XQ2m41QipmZGa1W63Q65+fnCeUinKmYJBvHcefOncvLy+M/FrS0tDQ2NhJWGBysdFhlZWXi9Qi1ks3AcVx5efmzZ8+E3/wrRSqdOwAszMJ7DMdxDQ0NMTExHR0d4mFraytN083NzYmJifHx8SdPnhR+jy3OdunSpfr6eiGVZEj+AdrS0iJJzj+XnbS3tzcnJ0en0yUlJdXU1BB6jHhHc3NzDQ0NGRkZ69atS0xMrKysnJiYEL9FqMzQ0FBhYSFN09u2bWtraxOeq9yjyoRqegzHcRcuXNizZw+hFBzH1dXVCedIKJdseYOJs3Ec5/f7L168aDabY2JiSkpKhoeHCSsMDlY6LI/HU1RURNN0RkbGzZs3hb3IZuCC/ofiSpGy5660UwAIKYoL+s9vkUZHR7Ozs3/8+EEOy8zMfPTo0c6dO2WHEZp0eS1yj8vo/6K8APAf9Fd/5y/2+fNnwnBFWg17BAAQW/5/dxkAAFYq9BgAAIiUpf99DAAAAA+fYwAAIFLQYwAAIFLQYwAAIFLQYwAAIFLQYwAAIFLQYwAAIFLQYwAAIFLQYwAAIFLQYwAAIFLQYwAAIFL+ARUWurOgWkp8AAAAAElFTkSuQmCC)
HTTP POST data:
![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAIxklEQVR4nO3cb0gT/x8A8GuduvTkq3NOU0GNkIgwH5gUqYRKiEiMSksatUjCxGQMC7MHyR5MMXvSg+iBhUFQD0LCB1EgEUvE1MZ5rbWGhg6zFXNsctm02f0eHL/juH87N0/3/fZ+PfI+fu5z7/fnbXvvbqMdFEUhAAAAgAJU2x0AAACA/yzoMQAAAJQCPQYAAIBSoMcAAABQCvQYAAAASoEeAwAAQCnQY6JUWFg4PT293VEAWaanp69cuSIx4ffv301NTd+/f5ezGpQeAPmgx0Tjw4cPf/78OXjw4HYHAmQxGo0FBQUSExISEhITEzs6OiIuBaUHYEO2p8fMz8+npqYqN1/pBYeHh0+cOLE1MQSDwZ6eHjnrzM/Pp6enxxjVRsnJImIKsSwe8YpLS0sEQZhMJua3q6urTU1NnJVNJtPIyEjEleOq9ADEP7iPicamvNDk5+f7fL6I0wKBgNVqjfFaypGTxdanwL4iSZLJyclJSUn04erqam1tbTgc5pyi0WhIkoy4MpQegA35S3sMiqJFRUXRnfvt2ze3233s2LHYw2Be+GLB5BJLUrHYlCy2jNfrramp6e/vj+LceCs9APEvQo+hb+rv3LlTWFiYkpJy5syZpaWla9euZWZmZmRkXLx48efPnwjv3p95aMM+PT09/dy5c8FgkHOJjx8/ZmRkvH37lj6cnJw8cuTIrl27MjMzGxoavn79yo9KcA59rdu3b2dlZaWnp1+4cOHXr19ieeXm5r5//545fPXqlfQ+sCcMDw8fP348ISGBCaaioiI1NTU3N/fUqVOfPn1CEGR9ff3GjRtZWVkpKSkNDQ1LS0t0eD09PZmZmbt3737w4AF708SCDwaDBQUFJEnu2LHj0aNHgqEyueTm5r579y6KjGSmwMQpmEUsKSDy6r66unrp0qXU1NT8/Pxbt26tr68LhsS/Ilt+fv7NmzelN0dso9ilF9w0wX1TrvQAxL/I9zEkSeI4Pjo6iuP44uLivn37fD4fQRDj4+Nzc3NdXV0RTycIYmxsbGJiwuPxcOYHg8GTJ0/29vZWVFTQI3a7/fLly16v1+Fw5OXltbW18dcUm0OS5MTExNTU1NTUlN1u7+vro8czeTgLGo3G6upqdtdhTE5OVldXG41GZoTztKS+vt5oNHo8ntHR0fLycrVajSBIX1/fyMjIyMiI2+3OyclxOp10eC6Xy+FwDA4OlpeX8zeKH/w///zjcrkwDAuFQgaDQTrUqDOSn4J0FrGkIKfuFotlZWWFIIiXL1/abLb79+8LhsS/YnSkSy+4aWL7tpWlByC+UJLm5uYQBAkEAvTh6OioSqVaWVmhD8fGxvbu3UtPwzCMfVZaWhpz+vLyMnP6nj172PPr6upaW1vFrj4zM5Odnc1fX2wOgiAej4ceHxoaKi0tpX9e4OEsQpKk1WrVaDSNjY1ut5sedLvdjY2NGo3GarWSJMnMxDDM7/fTh36/H0XRUCjEWVCn09ntdv5OMidykpIInpO7YKh88jOSn4J0FpuYgljdtVotEzaO42VlZYIhUby95f/x8AfZIxFLL7Zpgvu2xaUHIK5E7jGCzYNzKNFjJMa7urpUKtXDhw/ZV7Tb7TU1NTk5OVqtVqPRCK4jNketVjNznE6nTqfb0F74/X69Xo+iKH2Ioqher2f6K21oaKiqqoo9cvbs2ZKSErPZ3N/f/+bNG4qiAoEAiqLhcJg9TfpFTSJ4wZdITqixZCQ/BeksYkwhYt39fj+CINr/02g09PoRW0gUPUZO6fmbJrZv21J6AOLEtn3mv7KyMjQ09PTp087OTvaHNHq9vrKy0maz4Tj+4sULwXPlzGGL+KwMQZDZ2dm2tjabzWaxWOgRi8Vis9laW1tnZ2eZafyvFT158mRgYKC4uHhtbc1sNl+9epUe37lzZ8TAosMPVeY0wYziJIWINQ2FQiqVampqCsdxHMcJgsBxXKHw5JRebNOQOCg9AHFEugXJvI9ZXl5WqVTsZ2IR72NQFHU6nRRF1dfXt7W10RN+/PjBfoOG4zh/HYk5COuZw/Pnz+U/K2tpacEwzGw2+3w+9rjP5zOZTBiGtbS0UBQVDoe1Wu2XL1/EtgvH8by8PIqidDodjuMSO0nx3syKBc85USzU6DLaUArSWcSSgpy6UxSFYZjg47tNv4+hNlh6ZtOoOCg9AHFlc3oMRVFlZWXNzc1er9ftdpeXl8t/huZyudRqNUEQ9KFOp7t3714gEHC73Xq9nulhKIq6XC76KYTgHPrf6unTpxcWFhwOR0lJSXd3t8xdMBgMc3NzEptgMBgoirLZbAcOHGD/yul01tbWvn792ufzeTye5ubm+vp6iqKsVmtZWRlBEAsLC/QbTzkvNILBkySJoijz/F061I1mtKEUKBk9JuoU5NS9paXl8OHDDodjcXGxr6/PYrEIhsS5osfjYT+M4oTNmJmZYf9tczaKU3qxTRPcty0uPQBxZdN6zMzMTFVVFYZh+/fvv3v37oY+p2lvb6+srKR/ttlspaWlarU6OzvbbDYz63d2diYnJw8ODorNodfs7e3V6XRpaWnnz59nvpuwWTo6Orq6utgja2tr3d3dRUVFiYmJOp3OYDB4vV6KosLh8PXr17VarVqt1uv1Pp8v4guNRPDd3d1M7ptOfgpUpB4TSwpy6h4KhUwmU15eXnJycl1dHX1XIfZ9EOaKoVBIrVZzPiTnn/Xs2bPi4mKx8DilF9s0wX2L29IDsAUi9Jh/EYnvnm2WoqKi8fFxJVbeguCVFs8ptLe3c76pwREKhQoKCgYGBsQmQOkBiA669Z8A/Xt9/vx5u0MA0ejv75f+gkBSUtLjx4+PHj0qNgFKD0B0/tL/Swb8VRISEg4dOiQ9R6LBAACiBj0GAACAUnZQFLXdMQAAAPhvgvsYAAAASoEeAwAAQCnQYwAAACgFegwAAAClQI8BAACgFOgxAAAAlAI9BgAAgFKgxwAAAFAK9BgAAABKgR4DAABAKf8DRzL5v5rRSw8AAAAASUVORK5CYII=)
Mirror: Click here to view the mirror
Coordinated Disclosure Timeline
Vulnerability Reported: |
17 July, 2020 13:59 GMT |
Vulnerability Verified: |
17 July, 2020 14:14 GMT |
Website Operator Notified: |
17 July, 2020 14:14 GMT |
a. Using the ISO 29147 guidelines |
![](/images/done.png) |
— |
— |
b. Using publicly available security contacts |
![](/images/done.png) |
c. Using Open Bug Bounty notification framework |
![](/images/done.png) |
d. Using security contacts provided by the researcher |
![](/images/done.png) |
Public Report Published |
|
[without any technical details]: |
17 July, 2020 14:14 GMT |
Vulnerability Fixed: |
14 August, 2020 16:36 GMT |
— |
— |