Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:
      a. verified the vulnerability and confirmed its existence;
      b. notified the website operator about its existence.
Affected Website: |
fake-card.com |
Open Bug Bounty Program: |
Create your bounty program now. It’s open and free. |
Vulnerable Application: |
Custom Code |
Vulnerability Type: |
XSS (Cross Site Scripting) / CWE-79 |
CVSSv3 Score: |
6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] |
Disclosure Standard: |
Coordinated Disclosure based on ISO 29147 guidelines |
Discovered and Reported by: |
geeknik |
Remediation Guide: |
OWASP XSS Prevention Cheat Sheet |
Export Vulnerability Data: |
Bugzilla Vulnerability Data |
JIRA Vulnerability Data [ Configuration ] |
|
Mantis Vulnerability Data |
|
Splunk Vulnerability Data |
|
XML Vulnerability Data [ XSD ] |
|
Vulnerable URL:
![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAPOElEQVR4nO3dbUxb1RsA8LvSYYHbjZdSoHSDLsoIWVAXgpgwnJvZCBJSGcO3jqESRIIEySS8KFY2GUNnIlnIPmzJRowuxiwLIQsuOE0lhA3GrrUiq8BK7WqFFul2wVJL+/9w/97c3LfeFQpse36fei6n5zx9mnDoueU5G3w+HwIAAAAEgWitAwAAAPDQgjUGAABAsMAaAwAAIFhgjQEAABAssMYAAAAIFlhjAAAABMu6WGNUKtXPP//M1QQ8IFcAgPVs7deYX375xev1Pvnkk6xNwANyBQBY5/ysMVNTU1KplPVHTqfz+PHjXE3huru7CwoKWJvvvfdeWFjY+fPn7ze2NTE1NRUVFbWaM5K5cjgchw4dio2NTUxMbGho+Pfff3mexdN5cXHx1VdfJbNKZjiwl7be3iAAwOoL/HPM3Nxca2srV1M4rjXG4XB0dHQMDg5qNJqAg3y4kbkqKSnxer0Yhl29evXHH39saWnheRZX58XFxdzcXI/Hs1LhJSUl2e32lRoNAPBA8vEymUwoigr5EU9PHlarNTIy0u12M5t+BwxsxuAxmUyRkZGrNh2ZKxzHRSLR3Nwccb2/vz8lJYXrWTydTSbTsWPHqFm1WCw7d+4kHmRmZgbxxQAAHlKCPsd88cUXKpUqJibm0KFDTqcTQRCn05mcnIzj+IYNG86fP09tfv7551Kp9NNPP42Li4uKijp8+PA///zDNXJ3d/e+ffs2btxIazocDur4Q0NDzz77bFhYWGxs7MGDB+/cuUMb59dff42Jifnpp5+I5uLi4ltvvSWVSpOSkj766KOlpSWuAJaWlhoaGuLi4iIiIg4ePOhwOBAEYZ2O2Pk5fvx4bGxsQkLC2bNnEQS5c+fO/v37pVLp9u3bv/rqK+FTzM/Pv/3227GxsVu2bPn444+JCIkpTp48qVKpIiIiXn75ZYfD8f7778fGxsbExLzxxhvz8/PM1Nnt9vDw8M2bNxPXlUrl9PQ0giC3b9+OiIi4efMmgiAOhyMqKuqHH37g6owgSFJSUlNTEzXyxMTEGzduEA+uXbtGXPzuu++4kkki+lD3yoS/tD///PPFF1+USqUqlerkyZPMPbqhoaFdu3ZJpdLExMQDBw789ttvXO8Oa+ZZsebK78sEAPjlf43BcRzDsIGBgevXr1ut1vr6egRBNm/ePDY2hqKoy+XSaDTU5ksvvYTj+PXr14eHh4eHh0dGRtrb27kG59ooi4mJoY4/MjJSXl5us9kMBoNSqayqqqIO4nQ6CwsL29radu3aRVxpaWlZWFjQ6/W9vb06ne706dNcAbS3t/f19fX19RmNRoVCMTo6iiAI13Q4jo+NjRkMhnPnzmVnZyMIUlVVtWnTptHR0cuXL3OtMaxTVFdXW63WkZGR3t7e7u7uzs5Oarb7+/sxDLNarampqXa7Xa/XDw4OmkymxsZGrtQxqVSqxsbGmpoaBEGam5vz8vKef/55nv4ClZaW7t27l1h7mIaGhvbu3VtaWsr8kcCXVlVVFRoaOj4+3tfX19XVxRwnPz+/tLTUbDb39/dnZ2dLJBJyfNq7w5r5WIbg5QoA4H+vDEGQu3fvEs2BgYFt27aRP2LdKyOeYjabiesXL17MyMggHpvN5uTkZPIpOI6jKDo7O8va5NoKGx8fj4+Pp3bIy8urrKyk9pHJZDiOE48xDOPZ55HL5SMjIzwZoE6HIAgZns/n83g8EomE+kpZ98qYU3g8HhRFJycniWZ3d3dWVhY5BXUjSyQSLSwsEM2BgYHHH3+ceEzNFfONIMNwu92pqalarVYmk9lsNv7O5BX+HUgcx1tbW6Ojo4uLi41GI3ndaDQWFxdHR0e3trYSyacOJfClESklM8NM6ezsrFgsdrlctKiY746P4821MHDlCgCwfGK/ixCKouSOh0KhmJ2d9fsUiUSyZcsW4nFqaqrZbCafPjAwQHa7cuVKZmYmuRlCa1LdvHmzrq5udHTU7XZ7vV6v10v+qKmpqbe398yZM+SVv//+2263JycnE02v1ysW//9lEn+0EmZmZpxO5+zsbHp6usDpUBSlhkfsMlFfKTNy1immp6fdbrdKpSKfSPyKJKagbmRt2rQpLCyMaCoUCvIWOk+uqDZu3Hjq1KkXXniho6MjLi6Ov7NAERERDQ0NFRUVb775ZlpaGvm1tLS0tPz8/MnJSTJ+GiEvbXp62uv1UjNDGyQqKqqoqCgrK2vPnj0KhSIjI+O5554jx6cmhOvNTUxMZA0vGLkCAKzq/8eEhIQkJCSQTZ5vLdOo1eqcnBydTodh2OXLl8nrCwsLFy9evHDhQn19PXGjCEEQl8slEomGh4cxDMMwTK/XYxhG/AijoEYlcLqAMadYJr8bZSSbzSYSiWw22wrOPjExUVVVpdPpqF9ga2lp0el0lZWVExMTKzgX09dff33mzJn09HS3211bW/vuu+/ydGZmnnWvjBCMXAHwqOP/mMOztSJwr+zSpUvkXhmVx+ORyWTkrgitSR1wenpaLBaT1zEMI2IwmUxisXh0dNTn8+Xn51dVVZF9UBTl3wEjyeVyDMOoV3imo20i0fbKLl26xLVXRpuCZ6+MZyOLbNJyxfNVsbm5ufj4+AsXLkRHRxOJ8vslNL97ZRUVFSiK1tbW2u122o/sdntNTQ2KohUVFT7GXpnAlyaRSEwmE3Gda/uRhGGYUqnkCpuZeR/3XhkzVwCA5Qt8jcFxXCwWkzvyZJNYY4qKiiwWi8FgeOqpp7RaLTkCuZOu0+l27NhBXqc1aVPL5fLOzs65uTmj0ahWq5m/9MfGxiQSiV6vJ5oVFRVZWVkGg8Fqtba3t7e0tHC9wNbW1szMTL1eb7FYiL/NhUxHUqvV1FdKJod6w4B1irKysoKCArPZbDAYdu7c2dHRwZ9tapOZq9zcXI1GY7VajUZjdnb2Bx98QFyvrKwsLi72+XzHjh3bvXs3f2dm2llpNBpyDWBlMpk0Go0voDXG5/MVFRWp1WqTyWQwGNLT02lrzOjoaG5u7tWrV+12u9lsLisry8/P5wqbNfNcWHMFAFimwNcYn8+n1WrDw8PPnTtHbZ48eRJF0ba2NrlcHhkZWVJSQt7apY525MiRxsZGcihak9ZZp9NlZGRIJJL4+Pja2lrWX/rV1dU5OTnEY5fLVVNTo1Qqw8PD8/LyqB+PaDweT11dnUwmk0gkarWa+NtcyHQEi8Wyb98+FEVTUlI+++wz1p6sU+A4Xl5eLpPJlEqlVqv1eDx+s002mbmanp5+7bXXoqOjFQpFfX098Q9Gw8PDKIoSH7NcLldycnJXVxdXZ9a0L1Nga4zNZsvPz0dRNDk5ua2tjbbGuN1urVabkpISGhoql8s1Gg3rdxkIrJlnxZUrAMAybfD5fCu7+TY1NbVjx4579+7xd9u+fXtXV9czzzzD2gQ8Hp1c3bp1Kycn56+//lrrQAAAAfL/vbIguXXrFk8T8Hh0coVh2LZt29Y6CgBA4Na+7vIDYWlp6cSJE7///vtaB/KgEp7Ao0ePnj17dmZm5tq1a42NjRUVFasQHgAgSGCNESQkJMTr9R45cmStA3lQCU/g7t27Ozs7lUqlRqOprq4+fPjwKoQHAAiSlV9jkpKS/N6MWTUBl5dnHlVQV1dnsVjIsl3BtlKF8VenwL6Qkx0EJnDr1q1Go3FxcbGvr0+r1a5YiACAtQCfY9gxjyoICQm5cePGo3CnPQBCTnaABALwCII1BqwvYrE4JSWF+gAA8ODyv8Ywq9BT67RHRUW9/vrrZB0XhK2uPrPuOmsldp5y97SerPzW/2eNjXUK2skFwjNDjsZ6tAHP7FzJPHHiBG0c2t4X9YRKnqr4zHH442eOzxMnNV0lJSX79+8nn97U1MRzQ4X1mICADxQAAKxD/tcY1ir0OI7r9Xqi4L/ZbKbWnGetq8+su868wlPuntaTteQUf/1/ntiYU9BOLrivzBCjsR5twDM7azJxHB/+D/8RCQSuqvhc43DFz4UrTmq6PvnkE51OR96Q6+7uLiws5BqQ/5iAwHoCANYX/n/RZK2sRSv439/fTxb897HV1WfWXWetk89T7p5Ws52r5BSJWf+fKzauKfz+uzt/wKxHG/DMzkwm1zhc/zDPVRWfa5z7rZnG/6ZTn5WVlfXtt9+SF5l1+ElcxwQspycAYF3x8z+YXFXoqQX/lUolWfCfq64+re468wp/uXvac1nLs/PU/+ePjXUKv3gCZj3agH921mRyHZHAFQ9XVXzWcXji58IVJ41are7p6Tlw4EBPT09eXt5jjz3GNSDXMQHL6QkAWFdW+P/8ybr65C9QkUjkdrtXdhZqPXbCzMyMWq0uKys7ffq0RCKxWCy5ublCYlvZwHis7eyrqbCwkNjS7OnpYT0Qk2piYqK5uZl2TMAyewIA1g8/a4xcLg8NDb19+zbxB+/Y2Bj5lzirhISE8PDw2dnZp59+mrw4NTXlN477moh6+gthZmbGarV++OGHRJM8y8tvbAHjCdjlcv3xxx/ERwej0bh169bAZmcdJzo6emFh4d69e8RHCovFQsYjEommpqaSkpKIePjH4Yqfa3zhnnjiCblc/v333w8ODn7zzTc8Pd95550vv/yyvLzcaDTGxMSsSE8AwPridzeNWYWev4Yus64+894G690OIeXuebAW5L97965YLB4bGyMKG7PW/GedgnZygcDM+P67b8F6tIGQ2Wn3P1jHyczMLCsrs9lsRHF+/qr4POOwxs81Pv+bTktXc3Nzeno6UXWfh99jAgLoCQBYV/yvMcwq9Py/bph19QWuMULK3fNgLcjv8/nq6+vJAwhYa/5zTUE7uUBIZsjRWI82EDI7dY1BUbS9vZ05zvj4+J49e1AUTUtL6+jo4K+KzzMOa/xc4/O/6bR0ER80eVIHAHhErHxt/0ecwKMNgm1tq+LPz8/LZDKr1Xq/36QAADxkHs7bzmBtq+JfuXIlOzsbFhgAwJqdHwNW3NGjRxUKRUFBweTkZGNjY3Nz85qE4XQ6T5069corr6zJ7ACAdQU+xzw81klVfPLGz5rMDgBYV+B+DAAAgGCBzzEAAACCBdYYAAAAwQJrDAAAgGCBNQYAAECwwBoDAAAgWGCNAQAAECywxgAAAAgWWGMAAAAEC6wxAAAAggXWGAAAAMECawwAAIBggTUGAABAsMAaAwAAIFhgjQEAABAssMYAAAAIlv8Bx4W4NdrCwJQAAAAASUVORK5CYII=)
Screenshot: ![fake-card.com vulnerability](/twimages/screen-1246746.jpg)
Mirror: Click here to view the mirror
Coordinated Disclosure Timeline
Vulnerability Reported: |
1 August, 2020 13:59 GMT |
Vulnerability Verified: |
1 August, 2020 14:15 GMT |
Website Operator Notified: |
1 August, 2020 14:15 GMT |
a. Using the ISO 29147 guidelines |
![](/images/done.png) |
— |
— |
b. Using publicly available security contacts |
![](/images/done.png) |
c. Using Open Bug Bounty notification framework |
![](/images/done.png) |
d. Using security contacts provided by the researcher |
![](/images/done.png) |
Public Report Published |
|
[without any technical details]: |
1 August, 2020 14:15 GMT |
Vulnerability Fixed: |
29 August, 2020 16:47 GMT |
— |
— |