logo
DATABASE RESOURCES PRICING ABOUT US

valvefarm.com Cross Site Scripting vulnerability OBB-1230918

Description

Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[valvefarm.com](<http://valvefarm.com>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[XSS (Cross Site Scripting)](<https://www.owasp.org/index.php/Cross-site_Scripting_\(XSS\)>)** / CWE-79 CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **xav0 ** Remediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAATMElEQVR4nO2df0xTV/vAr9ixWooW7A/AqtAt1RDGkDCDBhNCjEPGWON0EoY6lTnDDP6Ic0g2x5xDxtA4xwhZnMHFOLMsDWmWbTHOOGI2gkoqkq4yVhFrbbAURMSKtff7x/m+573ee85p+VFR3+fzl+fhnuc85zmP97nn3PbpFJ7nOQAAAAAIAxGTbQAAAADwzAI5BgAAAAgXkGMAAACAcAE5BgAAAAgXkGMAAACAcAE5BgAAAAgXT0SOSUpKunTpEq0JsHnM7oLVAQAgdCY/x1y+fDkQCLz88svEJsDmMbsLVgcAgFERJMdcu3YtOjqa+Kfbt2/v37+f1gwdi8VSUFBAawaFYWEobN++fdq0aceOHRuzhsmF7a5xOoc23HjUTohJY1PS39+/fv16jUYza9asDz/88MGDB6PVgIN8wh375PPHH38sWLAgKipq0aJFly9ffjyD0vx87dq1mJgYRq8pj7J8+XL0p6tXr77xxhsxMTE6ne7dd9+9ffs2kl+5cmX58uUzZszQ6XQbN27EcuH9ob+/f82aNTNnzhTFD03n035vmTB4Jt3d3UqlMpQ/Ma5ks3DhwlOnTtGaQRnzuDzPezyeiIgIq9Xq9/vHpmHSYbtrPM5hDDdOtT6fb5xmjM2AgoKCoqIip9Npt9uzsrLKy8vHM+74Z/F0ERcX19TU5PV6KysrMzIyHtu4RD93d3erVCpaF7RMPgEjIyPoT8nJybt27XK73Q6Hw2QyFRUVIbnBYCgpKXG5XE6ns6ioqLCwkJfcH9D1TqfTZrNlZmZWVlYydD4D95aJYpJzjMvlUqlUOAJEzVAYz/1uwm/Bj5mg7prYCeLhJt1vYzBgeHhYr9cPDQ2hZmtr64svvvgYxn1mUKvVTqeT5/mff/45NTV1co0JJcdI5b29vTKZDDetVqter+d53ufzHTp0aHBwEMnb29uRXPRIIZPJBgYGUPPcuXPJyckMnf/LoSIipPcxX331VVJS0syZM9esWYN2grdv305MTBwaGpoyZcqxY8eEzYMHD0ZHR3/55Zc6nS4mJmbdunX37t2jabZYLMuWLXvuuedEzdWrV3/++ef4skWLFqEt5/nz5xctWjRt2jSNRrNq1aobN24ItdF63b9/f+PGjdHR0XPnzv3kk08ePnzIcVxfX59wCkTNaKu+f/9+jUYTHx//3XffIcmBAweSkpKioqJWr17d19f3wQcfaDSamTNnrl+//u7du9JpPnz4cPfu3TqdLioqatWqVX19fRzH3b1797333tNoNLNnz/7000+RVaPSL/Te+fPnlyxZEh0dPWvWrDfffPPvv/9mLB97dNraiRYLQ1TFcdzNmzdfe+216OjopKSkAwcOoMMNfPohnGlMTMzbb7+NbcOw7SHOi9Zl2rRp169fj4qKQpd1dXUlJCTQIoq4XtIgZ3sglAkGnak0AhkOJ5pNDH5GwNDkpaWleXl577//fkVFxYkTJ0KJAZoqop3Ei4VnZTdu3Hj11Vejo6PnzZsnNUBEIBDYunWrTqfT6XTbt29H9mg0GqPR+M0333Acd+/evYaGhqysLI7jnn/++a1bt6KBHjx4cPz48ZycHNH9wefzBQKByMhIpF8ulw8PD9N0ivqyTX32Yaeg7u5ujuPeeecdl8vV1dWVk5OzefNm9Ce73Y42pGgziJsOh4PjuJUrV/b09HR1daWkpOBNpZS8vLzjx49Lmz/99BPej7tcLrlcjp4gGhoajh49OjAw4Ha7t23bZjKZhM8LtF4VFRWFhYUOh8Nms2VnZ9fV1UmnINWMp7927Vq32/3bb7/Z7XYkKS4udjqdnZ2dWVlZarUa+aezszM7O7usrEw6zaqqqoyMjPb2dqfTWVZW1tzczPP8hg0b8vPze3p6Ojo60tPTDx8+jEcMUb/Qe1qt9siRI16v1+FwHDx40OFwsJePMTpt7fBwomc0oiqe51esWGEymdxud1dXV2pqKnrwxH2xb9HUsrKySktLieEntYcxL/YU8LonJCS0trYSI4q2XvyjQR7UA4wJqiWwZyqMQIbDiWbTgp8YMAx5TU2NUqlUKBQul0sa4USTaKqIdtICGPvZZDIJ/YP3MTRnVlRU9Pb2ootra2vRxQ6HY/r06XK5XCaTzZ8/H+9rEWazWSaTZWdnowM60S0uIyNj27ZtIyMjg4OD+fn5K1euZOgU9f1fJqQcg3eRf/75p8FgwH8inpWhLj09PUhuNpvxfb+npycxMRF3GRoaUiqVXq9X2hweHp4+fTpSUl9fX1BQILWtq6srLi5OaAatl1qtxsFktVoXLlxInIJIM54LthBLhFvmiIiI4eFh7B/iCYxWq21raxNK/H6/UqnE/+ssFktmZuao9Avd5fV6ZTKZ9OSatnzs0YlrJxxO6DeaKr/fL5fLsdxsNhNzDLbt3LlzOLRE9kvtYYclbQoIp9NpMBhOnjzJS8DrLl0vrBwbH9QDjAk6JbBnKoxA2nA0s4nBTwsYmvzIkSOpqalutzs7Ozs3Nxf5SqvVMkyiqSLayQhg5GcUTkL/4BwjdabP52tpacFKmpqa8H/5srKy9PT01tbWU6dO6fX6I0eOCIcbHh5ubm5OSUlpaGjgJfcHm82WlpYWGRmpUCg4jsPvQYk64awMM7r3McJjUEaOkcvlWG6z2YSxKHwIMpvNOTk5tGZhYSF6Glq6dCl+Wm9ra1u6dGlCQoJarY6NjVWpVCIzpL28Xi/HcfgZJzY2Ftsj7CvVLJ0j2yHSJmJgYEAmk4keZ1wuV2RkJG52dnbirBaifqm70tLSduzYUVtbe/bsWba1jNFpayccTqiWpkokt9ls0hzDmCkWEu1hhyVtCojMzEz84M+T1p24XqKJh+KBUCY42pkyhiOazQh+YsDQ5DgruFwutVpdVVXV0tKSlpbGNomoiuZedgCjYwmhfxjOFGG325E9IyMjCoWivb0dyU+cOEH88MIvv/ySnp7OU/LEwMDAwYMHcUeaTsgxGNnEnLiFxtSpU+Pj43GT/anlt956q66urri4uLW11Ww2I6HJZCopKWloaJDL5U6nMzc3VzSEtJfP54uIiLhw4YJM9v+TjYggvIUKqnmcTJ06dWIVitz1ww8/XLx4saOjw+Vy7dixY/HixV9//XX4hntKuXnzZnt7+19//YUltHWf8PUSotFoRJILFy5MiGaR2YzgpwWMVL5nzx6v17tgwQKO4+Lj4xsbG00m04ULF9DLDAaMmJS6d8wBLHXmrVu3RJJAIMBxnNfrHRkZeemll5AwLS3N6XRyHPfgwQOr1frKK68gucFgcLlctOEUCsWhQ4fq6upQk6YT+C/sFDS2fQwn2PU3NTURHxb8fr9arcb7a1GT53mfzxcbG3vo0KEVK1YgifQjHNJ9jLQXz/NKpZJ99EHULJ0j2yHSJkar1VqtVtH0aQcsoeiXuksI7cMtwu6hnJXhtRMNF/pZWXd3N5ITz8pC2ccQ7WGHJSP8/H6/0Gm0dZeul2jiIZ6V0YwMelZGmyljOJrZtOAXggOGKEdL2dnZieWbNm3iOK6joyOoScQhaO6VXkw7K2tqamI48/Tp03iPxfO82WzGZ2VyubyrqwvLkZ3oM2P4QNJisaDriXuRb7/9Fu1yMESdsI/BjD3HDA0NyWQyHHm4id9eOp3Ojo6OtLQ04UtXfOSKzj2xXNREFBUVTZ8+/ccff8QSrVZbX18/MDDQ2dlpMplUKtXg4KBMJrPb7Xj3Le21efPmzMxM9IhUU1Ozd+9e6eykmqXTZztE1BQeLldVVS1cuBC95NyyZQt6yVlSUlJQUCB9URyKfpG7bDZbbm7umTNnPB5PT09PSUlJfn4+WxttdOLaiYYT+Zyoiuf5lStXog9ldHR0EN/502zDrqPZEzTH0MKPl3zfgrjuxPXiHw1yoQFjWEoRIc6UMRzNbGLw0wKGJi8tLV28eHFHR4fH42lsbFSr1XFxcR999BHDJJoqop2hBDB654/9w3DmwMCAWq3es2ePx+Npa2tLSUnBLtqyZUtOTo7D4WhrazMajY2NjUien59fWFjodDqtVmtycnJ9fT3R+X6/32AwWCwWoZCoE3IMZuw5huf5yspKhUKB1wk1Dxw4oFQqq6urtVqtSqVau3YtfmUt1LZz586KigqsStRENDU1KZVK3J3n+ebm5oyMDLlcHhcXt2PHDmRMeXm50AxpL5/Pt23bNr1er1Ao8vLyiM/jRM1jzjGiy/x+/65du9RqtVwuN5lMHo+H5/mhoaFNmzap1Wq9Xl9ZWYnu1yHqF7lrZGSksrLSaDRGRkZqtdri4mK3283WxhhdunbS1RH6nKiK53m3252fn69UKhMTE6urq0PMMUI5zZ6g22ti+En9yVPWnbheCGGQY+EYllJEiDNlDEczmxj8tIChyX0+X3l5eWJiolwuT09PP378uMPhUCgUwuwrMommimhnKAHsdDqXLVumVCqNRmNtbS37fQw6ylMqlQaDoaamBst9Pt+WLVu0Wu2cOXPwh814nu/t7S0sLFSpVHq9ft++fcJFEar9/vvvRZsYmk7IMZggOWYMhOhco9Eo/OyHqAmwCZO7aGs3/uHsdrvo3ft47JnYLk8CT6nZABCUx/rOX8iVK1cYTYDNY3bX+IezWq0Gg2FCjAEA4Cli0nIM8Mzz2WefJSQkFBQUOByOioqKPXv2TLZFAAA8bia/tj/wrJKdnV1fX6/X64uLi8vKytatWzfZFgEA8LgZXY4RldQWFa++c+dOfHy8z+e7c+eOsBeS4/MWWhltLrRK2lKFjFLeRPr6+tasWYNqvO/evZtd432cdewZFcgZ0KqFcxSf086yhAbQ3C6U7927F326X+rSpKQkbpSuW7JkycWLF+/fv//PP/9s3bp1DH6YO3euKJbC0eVJ4Ck1GwCCMvZ9TF9f3+HDh1taWoqLi5Hk8OHDxcXF8+bNE10pkufl5en1ervd3tbW5vP5Nm/eTFS4YcOGQCDQ3t5++vTp5ubmqqoqmkKO45SPlvK2WCwMy9euXRsIBKxW65kzZ86ePbt3794xOyFM5Ofnz58/3263t7S0eDye0tJSJA/d51JobqfJhS7dt29famoq9zS4DgCAJ4tRfUKA8R3MwcHBlJQUXJ2JJqeV0RYppFXSJg40qs/kDA0NRURECDUbjUb2lMf8gR/2x1Vp0KqFS42h+VxqAM3tNLnb7UZlqRDJyclms3m0rgMAAAi+jyGW1JYWr66rq9u5c6f0WEkkJ5bRliqkVdKmDUQs5c2RKrd7PB6FQjFjxgx0gV6v7+3tRf+mVUHnOO6LL76QlpcnXk+rQE6sZ05UQqtAHqLPiQbQ3E6T63S6X3/9Ffuwt7c3Pz+f4ToAAAAyQbMQraS2sHj10NCQWq02GAwJCQkVFRX4S2E0OS8po82HVkmbqLCbXsqb/VsA/KNbDWIVdPwFbGmteOL1NHfRysUTldAqkIfic5oBNLez5TzPl5aWoh8UGNWXCgEAAPig38FklNQW3nFqa2vR93XRfQ1XbqDJeUkZbV5yCyNW0iYqZJTyFiL9LQD+0RslsQp6N71WvPR6hrto5eKJg9IqkAf1OcMAmtvZcp/Pp1KpkOWQYwAAGC1BcgyjpLbwjmM0GvF9zWKx4LswTY7BZbR5ypsPUSXtoAp5QSlvPoTfAsA3SloV9G5K0XXi9TR30eqZE5UwKpAH9XmIJdCFbmfLT548iX9YF3IMAACjZQK+g9nf3+9wOGbPno2aRqMRVcYmykdVRpt7tJI2bSApqJQ3N5qK/SH+BMCYr+dI9cyJSkKpFh66KxA0twddjsbGxg0bNrDnBQAAQCPIbVGr1XIcd/36ddTs7OyUXqNQKAKBwNWrV1HTbrfPmTOHJg8EAosXL+7v78cK0cU0UJHX119/nTHQ77//jn7cAmGz2RITEzmOu3Xrlsvl+vjjj1944YVZs2bJ5XKO49Rq9fDwMP52iNPpRHOMj49XKBRer3fWf8A/dePz+YQeQIMSr6e5a8aMGbGxsZcuXRLNjqhEp9PJZLJ///0XTxNNJxSf0wyguZ29HDdu3Dh79mxRURFq0lwHAABAJehOh1ZSW1R2Ozc3t7u7u729PTk5+ejRoww5sYw2Tzork1bSJipklPImVm7Pzc0tLi7Gv7KOS5QTq6AzasUTr6e5i1YunqiEVoE8RJ8TDaC5nSbneb66uhr9vj2G5joAAAAiwXMMraS28H7n8XiKiopiY2PnzJlTXV2N+xLlxDLaPCnHSCtp0wailfImVm7v7e1FShISEsrLy0dGRtDFxCroyKqamhpprXji9TR30crFE5XQKpCH4nOaATS30+Q8z8+fP7+pqUkoobkOAACAyBSe5yd7KwUAAAA8m0BNTAAAACBcQI4BAAAAwgXkGAAAACBcQI4BAAAAwgXkGAAAACBcQI4BAAAAwgXkGAAAACBcQI4BAAAAwgXkGAAAACBcQI4BAAAAwgXkGAAAACBcQI4BAAAAwgXkGAAAACBcQI4BAAAAwgXkGAAAACBcQI4BAAAAwgXkGAAAACBcQI4BAAAAwgXkGAAAACBc/B9+XUV7OyG9iwAAAABJRU5ErkJggg==) --- HTTP POST data: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAIxUlEQVR4nO3dX0hTXxwA8Ktddeld6ZrTVFAh1AcxH8yKLCLFJCQGpSWMWhhhYTSGRVmQ7GGGrdfoocAi6iVEfJACixgSlTauaywbKtcxzWKOWTfbbHZ/D/f3u9zf7t9t3vzD9/Pkzs4953zPOd7v7nFUEkVRCAAAAKCA5NUeAAAAgA0LcgwAAAClQI4BAACgFMgxAAAAlAI5BgAAgFIgxwAAAFAK5Ji1qLi4eGxsbLVHAWQZGxs7f/68SIXfv3+3tLR8/fpVTmuw9GCDgRyz5nz8+PHPnz87d+5c7YEAWYxGY1FRkUiFlJSU1NTUjo4OyaZg6cHGswo5Znp6Wq1Wc39OsM2srCz55YpKMKiBgYGjR4/+nTEsLCx0d3fLaWfNzqRkCIk0Ltnj/Py80+k0mUzMu+FwuKWlJaplk8k0NDQk2fKaWnoAVsQq5JjCwkK/3//3+10vVuRGI3OSg8Gg1WpNsC/lyIni74fA7pEkyfT09LS0NPplOBxuaGiIRCJRl2g0GpIkJVuGpQcbz+qclTG/kxsSiqIlJSXxXfvlyxePx3Pw4MHEh7Eik8zEkkhQiVhfW2Vubq6urs5ms8Vx7VpbegBWhHSOCYfDra2tarW6sLDw5s2by8vL9MP4nTt3iouLMzIyTpw4MT8/f/ny5ezs7G3btp05c+bnz5/0tSMjI3v37t28eXN2dnZTU9PMzAwS1xkFbzszMzOHDx9Wq9WlpaVPnjxhKvOW0512d3dnZ2dv3779wYMHvKEx3e3fv1+tVufn5x87duzTp09Chbzy8/M/fPjAvHzx4oV4dOwKAwMD9fX1KSkpIiNZXl6+du1aTk5ORkZGU1PT/Pw8NzrugeTt27dzcnKysrJOnz7969cvBEEWFhaKiopIkkxKSnr48CHvUJlY8vPz3717F0dEMkNA+NaIfVIXdwiIwP6JwrsZuEPi9shWWFh4/fp18ckRmqi1tvQArAjpHGOxWBYXF51O5/Pnz+12+7179xAEIUkSx/Hh4WEcx2dnZ8vKyvx+v9PpfPv2LUEQnZ2d9LUOh+PcuXNzc3Mul6ugoKC9vT2+UfK2097evmXLFrfbPTg4yM4xQuUkSY6Pj7tcrt7e3pqaGqHQEARpbGw0Go1er3d4eLimpkalUgkVIgiSzRE1eKPRWFtby846jJGRkdraWqPRyJREnZbwdtrT0zM0NDQ0NOTxePLy8txuN290bCRJvn//fnR0dHR01OFw9PT0IAiydevW8fFxDMNCoZDBYBAfatwRyQ9BPIpEQpCzD4U2Q9SQuD3GZ50uPQAxo6RotVqSJOmfcRyvrq4mCAJBkGAwSBcODw8nJycvLi7SL9+8ebNjxw5uOxMTE7m5uRRFEQSBYRhdyP5ZJrqdSCSiUqm8Xi9d2NfXl5mZSVGUUDk95kAgIB4aRVGBQABF0VAoxK7JW0jzcURVIEnSarVqNJrm5maPx0MXejye5uZmjUZjtVqZMZAkiWEYM0ihTnU6ncPhYJdwo4uaZARB2HNSVVXFrSY0VC75EckPQTyKFQyBdx9SApuBd9tIbmBuIbtkXS89ALGSyDGBQABBEO1/NBqNTqeL2p0EQdD3ce5Lh8NRV1eXl5dHX8vc7mPNMdx2ZmdnVSoVU8HtdtONC5VzO+INjX7r5MmTlZWVZrPZZrO9fv1apFC+QCCg1+tRFKVfoiiq1+uZPE3r6+s7dOgQu4TbaTAYRFE0Eomwq4nf1AiCiJoTJlLe+Y8aaiIRyQ9BPIoEQ5Dch0KbQTKFxJFjNsDSAyCfxFlZKBRKTk4eHR3FcRzHcafTieO4/IckvV5/4MABu92O4/jg4KD8CxVqh00ktKdPn96/f7+iomJpaclsNl+8eFGoEJFxVoYgyOTkZHt7u91ut1gsdInFYrHb7RcuXJicnGSqcb9WJNTppk2bVmQS5AxVZjXeiNZICJL7J8F9HpP1vvQAxEYyC2EYxn08l/Mc8+3bN/YHIhzH43uO4W0n6kysv7+f96yMKeftiBsaF47jBQUFIoWSZ2VtbW0YhpnNZr/fzy73+/0mkwnDsLa2NnrkWq12ampKciQ6nQ7HcfZbkh9mEdaBSX9/v9CBidBQ44sophDEo0gkBDn7kBLYDEo8x1DreekBiJV0jmlra9uzZ4/L5Zqdne3p6bFYLPLPynQ63d27d4PBoMfj0ev13N/t79+/oyg6Pj7OPTlh421Hr9cfP37c5/O5XK7KykqmU95y3nsBNzSKotxud0NDw6tXr/x+v9frPXv2bGNjI2+h5NTRDAYDQRBC7xIEYTAYKIqy2+3l5eXst4Q6tVqt1dXVTqfT5/PRHzzl3GjYc9LV1UW/RZIkiqLM+bv4UGONKKYQKBk5Ju4QePdP1N7j3Qy824bdo9frZR9GRQ2bMTExwf4diZqodbT0AMRKOseEQiGTyVRQUJCenn7kyJGpqSn5OcZut1dVValUqtzcXLPZzHu7v3r1anp6em9vr8gYeNvx+Xz19fUYhpWUlNhsNqZT3nLemwU3NIqilpaWurq6SkpKUlNTdTqdwWCYm5vjLZScuph0dHR0dnayS4Q6jUQiV65c0Wq1KpVKr9f7/X7JGw2GYbdu3dLpdJmZmadOnWK+oEFRVFdXl+T8x01+CJRUjkkkBN79Q/1/7/FuBqHnbKbHUCikUqmi/kjOverZs2cVFRVCw9uQSw8ALYmiqNU5pAP/V1pa+ujRo927d694y9PT0+Xl5T9+/Fjxlv+atRzCpUuXXC7Xy5cvhSqEw+GysrIbN260trbyVoClBxsYutoDAP/6/Pnzag8BxMNms4l/QSAtLe3x48f79u0TqgBLDzawNZRjeL+RhSDI1NTUivy7mQAoISUlZdeuXeJ1RBIMABvbGsoxQh8GIcEAAMA6BX+PAQAAoBT4P8oAAAAoBXIMAAAApUCOAQAAoBTIMQAAAJQCOQYAAIBSIMcAAABQCuQYAAAASoEcAwAAQCmQYwAAACgFcgwAAACl/AN5YtgEL7oWDQAAAABJRU5ErkJggg==) --- **Mirror:** [Click here to view the mirror](<http://1230918.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 19 July, 2020 08:07 GMT ---|--- Vulnerability Verified:| 19 July, 2020 08:18 GMT Website Operator Notified:| 19 July, 2020 08:18 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 19 July, 2020 08:18 GMT Vulnerability Fixed:| 13 August, 2020 19:52 GMT ---|---