logo
DATABASE RESOURCES PRICING ABOUT US

oanhstore.com Cross Site Scripting vulnerability OBB-1234489

Description

Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[oanhstore.com](<https://oanhstore.com>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[XSS (Cross Site Scripting)](<https://www.owasp.org/index.php/Cross-site_Scripting_\(XSS\)>)** / CWE-79 CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **xav0 ** Remediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAOH0lEQVR4nO3df0wb9f8H8BsrrKMlQmk7BkxgIWgM6ciGS424EFx0kmZp5oZbxK3TBdmykQYnCjMT+YMtCCQqLmbBZUYS9wchCzFGDZnaLYsiksI6hrUjUApDA7XV21ZY533/uHwvl/vVo+VG4fN8/MX7ej9erxfv49W767o1FEURAAAACkhY7gAAAGDVQo8BAACloMcAAIBS0GMAAEAp6DEAAKAU9BgAAFBK/PaYvLy8oaEhsSHIgaJFB3Vb3YaGho4ePSqxwoMHDw4cOPDnn3/K3CEmjIQ47TE3btz477//tmzZIjgEOVC06KBuq57NZsvNzZVYITExMSkp6eTJk3L2hgkjLUKPmZiYSElJEXwpGAyeOXNGbBij3t7e3bt3iw1jJJGUmKXN7tFY2qLJIVHYv//++/DhwwaDISsr65133nnw4EEUv4XYw5BjSeomM4aI84rZz8TERFpaWoxRLZacLFbEqcEOcm5ubnh42G63M6/Oz88fOHCAk6ndbu/r65Oz80d/oq0s0V/HBAKB5uZmsWGMFO0xUVja7B6NZS8am81mW1hYcDqdV65cuX79+unTp5c7IlFLUrecnJzZ2dmIq8X5vJKTRZynQGMHSZJkcnLyunXr6OH8/PyuXbvC4TBnE51OR5KknJ3H1YkWh+LxXtmdO3fcbndpaangEOSIq6Ldv39/cHDw/PnzWVlZTzzxRHt7e3d3t3KHU6lUBQUF0W27hHVj/orFgskllqRisSRZxLOZmZmdO3e2trZGt3lcnWjxSVaP+eijj/Ly8tLT01977bVgMEgQRDAYzM3NJUlyzZo1X3zxBXvY3t6ekpLy4YcfbtiwIS0t7dChQ/fv36f38+uvvz733HMpKSlZWVkvv/zyrVu3BA/X29v7wgsvJCYm8od379598803DQbDpk2bPvjgg4cPHzJ7fuaZZ9avX28wGPbt2zc1NUX8/5V+W1tbXl5eWlraq6++SgcvlpRYhJxkBWOgj3XmzBmDwbBx48bPP/+cIIj5+fk33ngjJSUlJyfn/fffZ6Jle/jwYX19/YYNGzQazb59++bm5sTSZKej0WheeeWVubm5t99+22AwpKenHz58+O7du4I1FExKLDaJSnKyE4xcsLDr16+fnJzUaDT0Ch6PJzMzk12EmzdvpqenX716lR4Kxvbpp5+++OKLzCanTp06dOiQ4PzJysr67bffmOF3330nuJrgCpy5J1g6fuL8+rDvMtE/888IzrwSDJXJJSsr65dffokiI5kpEEK/ZfaduqhTENtWcFLFMvPlB8mWk5Nz6tQp6XqK1ZbgTRgQQEkaHx8nCMJms01PT3s8nrKysurqavql0dFRrVYbCoXC4TB7ODY2RhDE3r17vV6vx+MpLCxsbGykNzEajZ2dnX6/f2xsrL29fWxsTPCg5eXlXV1dgsPXX3/dYrF4vV6Xy7V169aPP/6YXv7ZZ59duHAhEAjMzMzY7Xar1coEf/DgwenpabfbXVJScuzYMemkxCJkJysYA3OsmZmZb7/9dnR0lKKohoaG/fv3j42NjYyMlJaWdnR08JNtbm4uLi4eHh72+Xw1NTUOh0MsTfoQlZWVPp+PTkev19NZ0O+kampqBIsmmJRYbNKVZGfHj1yisIzR0dHMzMz+/v7x8XGtVktRVCAQKCgoOH/+PLOOYGw+n0+tVv/zzz/0OoWFhZcvX6YoSs/DOWJGRkZZWdnAwAC/+P39/WVlZRkZGWJzT7B0Yomz68Nkx1RP8IzgnEQSoUadkcwUKKHfMpNFLCmIbSs4qWKZ+TKDZP9q2EFyFvKX8GtL8SYM8MnqMcyJff369c2bNzMvsX8HnOno9Xrp5T09PcXFxRRF+f1+lUoVCoX4R/F6vbm5ufTPJElqtVq/388fhsNhrVbL/N3v7e01m838vXk8HnoecIK/du0aHbxYUhIRMtmJxUDvkwmbptfrSZKkf3Y6ndu3b+fv2Wg0Dg4OspdIHyIQCDDpJCQk3Lt3j8kiPz+fXzSxpOTExqkkJzt+5BKzhebz+TZv3nzp0iWKVdLy8nK690eMzWw2d3d3M9vSSfl4OFmQJNnc3KzT6SoqKtxuN73Q7XZXVFTodLrm5mbmWJy5J1Y6scTZ9eH3GP4ZQfFOIsFQ+eRnJD8F6SxiSUFsW/7hYpz5MoOMoscI1pbiTRgQFLnHcBpJamqq2EvMdFSr1czykZERo9FI/7x///6ioqLa2trW1tYff/yRWSccDk9PT9M/9/T0lJWVMS+xh9PT00lJScxLbrebeU8xODi4c+fOzMxMvV6v0+noIMWCl0hKLEJmE7EY+HPU7/cTBMG8udbpdEwdGIFAQKVS0W8AGTIPwQ6bM+TUkJ+URGxyKikWuXSEFEWZzWbm0pNeuaGhISEh4cKFC3LqdvbsWZvNRlFUR0dHRUUFtRh+v99qtapUKnqoUqmsVivzZ0uwboKlk5M4xfujJnZGCP6944QaS0byU5DOIpYUxLblbxjjzJcZZBQ9Rqy2/AkDfI/0mf9XX33V2dlpMpkWFhZqa2tPnDhBL1+7du3GjRvpn6P7RJnVat2xY4fD4XA6nd98882SRxiFUCiUkJAwMDDgdDqdTufw8LDT6RRcc+3atVEfRRCnaPykJGJbVCUXFfmdO3eGh4fZJb13715PT8+lS5feffdd5pGYRGx79uyhQ/r666/37NlDLzTw8A99+/bt48ePOxyOpqYmeklTU5PD4Th27Njt27fF6kZIzlj5iS8KP1SZqwlmFM8prCBitcUnymSRbkHRXccQrCvWy5cvM1esbE6nMzs7m7MwHA7r9XrmYpk/FLyU/uuvv9hv+pxOZ9TXMWIRyrlXxn9zpNVq+XckOIxGo9Pp5BRBziHE3s1xiiaWlGBsMispFrl0hOFwmB3V+Pi4SqUaGRmhKMpisRw/fpx5SaJuhYWFfX19qampzB25iPfKqqurtVptbW3t7Owse/ns7KzdbtdqtfRDI+m6UazSRUyc4r1xFjsjOBuKhRpdRotKQTqLWFIQ25Z/uBhnvswgo3sew69txAkDtOh7DEmSKpWKuR3MDJknbz6fz+VyFRUV0U/eRkZGdu3adeXKldnZWa/Xe+TIEYvFwuyZvmXscDgKCwuZhZwhRVFHjhzZvXs3/5m/0Wg8d+5cIBBwu91WqzW6HiMRITtZwRgEJ251dbXZbHa5XNPT0y0tLU1NTexkac3Nzdu3b6efvtLv/mQeQuxM4xRNLCmx2ORUUizyiM2bnTh75dHRUbVaPTw8LF03iqJOnz5tMpnYMyeiysrK8fFxsVfHx8crKyv5daPESxcxcUqox/DPCIp3EkmHutiMFpUCJaPHRJeC2LaCkyqWmS8zSK/Xy76lxsmU4fF4+G892bXlTxgQFH2PoSiqsbExOTn54sWL7GFbW5tWqz179qzRaExNTT148CD9dG5hYaGxsbGgoCApKcloNFZWVs7MzHCOcvLkyYaGBmb/nCFFUSRJVlVV6fX67OzsxsZG5p6yw+EoLi5Wq9UZGRm1tbXR9RiJCNnJCsYgeMKEQiG73Z6dnZ2cnFxeXk6/5eGsGQ6H6+rq9Hq9Wq22Wq30uz85hxA70zhFE0tKMDaZlRSLXP4TI/4+a2pqduzYIVE3Gn3fjJlyS4g/2cRKFzFxitdjBM8IGuckWlryU6Ai9ZioUxDbVnBSxTLzZQYZCoXUajXnIxX8YLq7u00mk0Rt+RMGBEXoMVEQnDoyFRQU/Pzzz2JDkGN1F40kSbVarcQneZSrWyxnRJyIJYVHlr78A9XU1Eg/qw+FQrm5uZ2dnRLrrO4TbQmpHunDn0h+//13iSHIsbqL9v3335eUlCjxzV2ru27A1traKvYBHNq6deu6urqeffZZiXUwYWSKx++SARAUDAbpTy0vdyCwsiUmJj799NPS60g3GJAPPQZWDOY++3IHAgByraEoSqFdT0xMFBYW/vvvv9KrBYPBc+fO1dfXKxQGAAAsFwV7DEEQ8/PzEb+3VWYrAgCAFUfZe2Wr/ovBAQBAQuQes+xfbw4AACtU5B5jsVhsNpvX67127VpJSYlarSYIoqWlpa+vr6+vz+12Z2ZmjoyMEARBkuTo6KjL5bp48WJJSQlnPyRJ9vf3DwwMDAwMDA4OtrS0EATx2GOPMV+7XVlZSRCEzWZ7/vnn2f//BwAArFTS/3wmbr/eHAAA4l+E65i0tLS9e/eazea33nqrra3tp59+IggiGAz6/X6TycRZWavVSvzjOLVavWnTJvrnJ5980uv1Cq6m0Wjq6+s9Hs/CwsJTTz0ls1MCAEAcinyvDN8NDgAA0ZH1XTLbtm3btm0bQRDl5eUWi+WTTz7R6XRDQ0NbtmyRf6RQKDQ5OUlfyrjd7scff1xwtaNHj3Z1dVVVVbnd7vT0dPn7BwCAeBPhOubWrVsvvfTSDz/8MDc3Nzk52dHRUVRURBCE3W6vqqq6cePG1NTUiRMnrl69KudgtbW1U1NTN2/ebGxstFgs9EK9Xh8Khf744w96SJKky+Vqa2tDgwEAWOki9Jj8/Hyz2VxdXZ2ZmVlcXBwKhTo7OwmCqKurKy0tLSsry8/P9/l8ch6caLXa4uLirVu3lpSUmEymuro6erlGo3nvvfeKiorozy5/+eWXOTk5MecFAADLT9l/58/AP+YHAPgfhO/EBAAApaDHAACAUtBjAABAKY/oeQwAAPwPwnUMAAAoBT0GAACUgh4DAABKQY8BAACloMcAAIBS0GMAAEAp6DEAAKAU9BgAAFAKegwAACgFPQYAAJSCHgMAAEpBjwEAAKWgxwAAgFLQYwAAQCnoMQAAoJT/AxapBtcN+bHLAAAAAElFTkSuQmCC) --- **Screenshot:** ![oanhstore.com vulnerability](/twimages/screen-1234489.jpg) **Mirror:** [Click here to view the mirror](<http://1234489.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 22 July, 2020 08:41 GMT ---|--- Vulnerability Verified:| 22 July, 2020 08:52 GMT Website Operator Notified:| 22 July, 2020 08:52 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 22 July, 2020 08:52 GMT Vulnerability Fixed:| 15 August, 2020 20:16 GMT ---|---