logo
DATABASE RESOURCES PRICING ABOUT US

supermexdrugstore.com Cross Site Scripting vulnerability OBB-1251877

Description

Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[supermexdrugstore.com](<http://www.supermexdrugstore.com>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[XSS (Cross Site Scripting)](<https://www.owasp.org/index.php/Cross-site_Scripting_\(XSS\)>)** / CWE-79 CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **xav0 ** Remediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAASiklEQVR4nO2df0xT1xfAn1ikwAOhloqAE8yGxBhGFsZwQ+eUqOkaUhHRMaYYiTKCjBB1DhfGmEOjaDbmiH9o4twyzWIIIcQw07mlI8wfWGvXMSTosMPSsYrgKtZaed8/Xr43b++9e/soLVB3Pn/13t537jnn/jh997WnMxiGoQAAAADADwRNtQIAAADAMwvEGAAAAMBfQIwBAAAA/AXEGAAAAMBfQIwBAAAA/AXEGAAAAMBfTIsYk5SUdOPGDVwRAHwIzC4AmEymPsb8+uuvY2NjL774omgRAHwIzC4AmGQ8xJg7d+5ERESIvjUyMnLgwAFcUTotLS05OTm4IuAFd+7ciY6O9msXXg/31CJ9dk2CDyUyfTShiBvCJMPTZLwT0gtD7t+/v3Xr1piYmPj4+Pfff//JkyfTxxvTGe/vY4aHh+vq6nBF6UCMCUS8Hu6pBWbXs8okTMiioiKXy2U0Gi9evNjR0VFdXe3X7p4ZZFPb/cDAQE9Pz4oVK0SLAOBDYHYBXvPo0SODwdDd3R0eHk5R1NGjRwsKCkpKSqZarwBA0n3M559/npSUNGfOnHfeeWdkZISiqJGRkcTERIfDMWPGjK+++opbPHr0aERExOHDh+fOnRsdHb1ly5ZHjx7hJLe0tKxevTo4OJhXXLdu3eHDh9nKGzduhISEsP1SFLVjx44XXniB8O7u3bvJl+/evZurw9WrV5ctWxYREREfH79+/frff/+dEtxKo/MKtl7UusePH2/bti0iImLBggUfffTR06dPUfsDBw7ExMTMmzfv5MmTbM2RI0eSkpLCw8M3btx479693bt3x8TEzJkzZ+vWrQ8fPiQI/OOPP8LDw69fv05R1L1796Kjo3/88UeKou7evbtmzZqIiIhFixZ9++23SG3R3oV2URQ1MDDw5ptvRkREJCUlHTlyBNUL/cMbfYqiHj58uGPHjpiYmPnz53/88cc423FGcXn69OkHH3wwd+7c8PDwDRs23Lt3j60ndCHFmbzJdvXq1aVLl4aGhsbExGzYsOHu3bs4H27cuPHTTz9FQpYuXcqaLCqBq090dPTbb7+NJh7OLlGHiGpCQHQO44QTNOcNFk5n4YZAQPo0GNdK5CKckLzecduR0BBc+9DQ0D///JMNMBRF9fb2xsXFcTv67bff5syZ8/PPPxM8/+WXX65ZswZdsm/fvi1btnjcrERnfgDhOcY4HA6j0djR0XHlyhWr1bp3716KombPnt3d3U3TtNPpLCws5BbXrVvncDiuXLnS2dnZ2dlpMBgOHTqEE447KNNoNDqdjq1sbW0dGxtra2tjizqdTqvVEt5Vq9Xky9VqNVcHjUZTVFRksVja29uzsrLkcrlHh4haV1tbOzo6ajKZ2tra9Hr98ePHUfvu7m6z2Xzq1KmsrCzk0vb2dqPRaLVaU1JS7Ha7yWS6dOlSX19fVVUVQWBSUlJVVVVFRQVFUdXV1Wq1+o033qAoqqysLDIysqur6/z589xdSdg7jrKyslmzZvX29up0utOnTxP8wxt9iqLKy8utVqvBYGhra2tpaWlsbMT1jvMS4tChQzqdTqfT9fT0xMXFdXV1sfWELqQ4k/r3ZDMYDNu3b7fZbGazOSEhoaysDOfD/Pz85uZm9vXAwIDRaNRqtTgJrD4mk4ldLxaLBSmAs0vUIbjRxIGbw6LCCZrzBktUZ9ENgYzEaTDelYgQTkhe76ILFmeIx+3r5s2bu3btqq+vRzUjIyO5ubkHDx5ctmwZwfNarVav1//zzz9sm5aWltzcXI+bFW7mBwwMkb6+PoqiHjx4wBY7OjoWLlyI3qJpmtuSLbKXWCwWtr6pqSk9PZ19bbFYEhMT0SUOh4Om6aGhIWHRarWGhYU5nU6GYTIyMiorKwsKCljhkZGRFouF8K7L5SJf7nK5kA5DQ0MymYxtyTOcZ11UVBTZOqVS6XA42NdGozEjIwO1RzaimuHhYbbY3t4eFBQ0OjqKPPz8888TBDIM43K5UlJSampqlEqlzWZjGMbtdsvlcq5WXG15vYvaxUq4ffs2T4IU/7jdbpqm0bUtLS2ZmZmivROMQqhUKoPBwKskdyHFmbzJxqW3tzc2Nhbnw9HRUXbKMQzT2NiYk5ODk8AI1kt7eztaL6J2iToEpwkO3BiJCidrzvOPUGfChoBD4jTwYiWK7j+ivQsXLM4QwgJn6e/vX7hw4dmzZ7mdqtXq0tJSsoHs68zMzHPnzqFrnU4nebNyOp2iMz+A8Pw8hqZpdK8aFxc3NDTk8RK5XD5//nz2dUpKisViQZd3dHSgZhcuXMjIyEB3vtzivHnzkpOTOzo6Fi9ebLVaq6urk5OTnz59qtPpsrOz58+fT3g3ODiYfDk6mqMoKjo6Oi8vLzMzc+XKlXFxcenp6a+//roX1t2/f99utycmJrL1Y2NjMpkMOZB3d0/T9OzZs9nXCQkJkZGRoaGhyEV2u50sMDg4+NixY9nZ2Q0NDXPnzqUoanBwkKIorlbcvqR8K2lwcHBsbCwpKYknQYp/BgcHXS4X91p2oQp7JxjFMjIyMjQ0lJqaOq4uPDqTEky269ev79mzp6ury+VyjY2NjY2N4XwYGhqqVqubm5t37tzZ1NRUVFSEk4D0QeslISGBXS84u0QdQhhNUXBjhPM2QXPuYOF09mJDkDINvFiJEsFtRzhDcO1Z8vLyKioqNm7ciGr27dvX1tZ24sQJsoHsa61W29raun79+tbWVrVaHRISQt6shoaGcDM/UJjUZ/4zZ86cN28eKpK/UaZWq3U63e3btzUazezZs9PS0vR6PTrpIr8rpQHizJkz165dM5vNVqu1srLy1Vdf/eKLL8ZrmtPpDAoK6uzsRJMpKGhCvz0iC7TZbEFBQTabbSJdSMQn/mGR6KWZM2d6ry4G3uzSarXFxcXHjx+Xy+X9/f1r164lXJufn3/s2LHCwsIrV640NTV5IYFFaJevpo3oGOGEj0tzf4wFTjEfzjQ/MTAwYDKZfvnlF1QzOjra1NR09uzZsrKy3Nxc9uMOYVhzc3PZ08LW1lb0eUX6ZhWQkG9zcDeqom+JnpU1NzfzbjZZ3G63UqlE94C8IsMwHR0dGRkZOTk558+fZximsbGxvLw8NjbWarV6fFdKA1GMRmNCQgLDMA8ePAgKCuIeeoielXGto2laeBgivIUnuJRXFBXIMMzw8HBsbOzZs2cVCkVXVxcjOCtrbm4WPU8g2MVK6OvrY+tx5zPIPxLPyoTHFzijECqVymg08ioldoFzJm92DQ4OymQyrlFRUVE4HzIM43Q6FQrFZ599lpubS5BA1kfULlGHEDSRAhojUeESNcfpTHa4KN5NAykr0YuzMrRgJR6G87Yvt9vN3aP6+vpkMhm7BjUaTVlZmRQDlyxZotPpoqKiuCd1uM0KN/MDCO9jjMPhkMlkPT09vCI7SHl5ef39/WazOS0traamBklA5616vX7JkiWonldkUalUKpWKvaS/vz8yMjItLU3iux4bsPVdXV1r1669ePGi3W63WCzFxcUajYZtkJGRUVxcbLPZenp6srKyuFNQ1LqSkpLMzEz2U9ihQ4dqa2uFDiS7lFcUFcgwTGlpaX5+PsMw+/fvX7FiBVup1Wq5WhE2DlG7GIbJy8vTarV9fX1mszk1NZWtx/mHN/rFxcU5OTkWi8VsNr/00ksNDQ243nFGoYlRV1eXkZFhMpn6+/vLysr0er30LnDOFM4ulUrV2Ng4PDzc09Oj1WrZZqI+ZCkoKIiMjPzuu+/IEgj64OwSdQhBEyGEOSwqXIrmOJ19FWOEio13JT548EAmk3V3d7vdbkYwIdF0wi1YcozBbV9cyTwh3d3dcrncZDIRPM9SXV2dmpqKrGMhbFaiMz+A8D7GMAxTU1MTFhZ26tQpbvHIkSM0TR88eFClUkVFRW3evBk9g+VK27VrV1VVFRLFK7IUFBTk5eWhYnp6OrcN+V1yA6SJy+WqqalJTk6eNWuWSqUqLCxkn6IzDNPb27ty5UqaphcvXtzQ0MBdiqLWOZ3OioqKhISEsLAwtVrNfvSYSIwRFdjZ2UnTNPs5y+l0JiYmnj59mmGY/v7+1atX0zSdnJxcX19P2DhE7WIYxmazaTQamqYTExMPHjzI1hP8wx19h8Oxfft2pVKZkJBQU1PDLnvR3j16ye1279mzR6lUyuVyrVZrt9vZeild4JwpnF16vT49PV0ul8fGxlZWVrLNRH3I0tzcTNM0GmucBII+OLtEHULQRAhhjESFS9Ecp7OvYoxQsfGuRIZh9u7dK9x/Tp06xe0Rt2DJXyUQXeBCe3lCysvLly9fTvA8i9FopCgKqc1C2KxEZ34A4SHGeAHuppVHcnLypUuXcMVpi0TrAp3u7m6VSjXVWviMQJldgM8Z74KdhAXucDjkcrnoVxyfSabsd/43b94kFIGpxWg0Lly4cKq18Bkwu4Dpw4ULF7KysqZPDjp/M/V5l70DMrT7nE8++eTkyZN///335cuXq6qqfJUn48aNG++++y6hwZMnT956662//vpLosD/7NDHYEC/6Ztaprl604SRkZFjx47l5+dPtSKTxxTnK/MOyNDuD1asWFFRUVFaWvrcc8+Vl5dv2bLFJ2KLioo2bdpEaBAcHDxr1qxdu3Z9/fXXHqX9l4eePccXMk1S/05z9aYJKpVKo9Fs3rx5qhWZRCZ41ibloZ/wkgmeeO7fv5/7NUEvkKgDm8xVihwv/DBxpFjh0YSJCPfYo91uDwoK4n4Vx+l0btq0iSfZYDCwvzb3yPQZegAApBCQZ2UTz9C+YMEC9AtwAtM8g70UKybfBG6PDocjLCwsJCSELT5+/Hjt2rVut5t3iUKhcDgcUoTD0ANAYDEFMUYmkyUnJ3t9ua8ytKONbyIgWyZolNf4xIpJw2azZWdnc5MJjotpNfQAAEhB0v9g8vJy4xKP4xKM84iPj7927Roqfv/992QdeA14GdqFPQoTkpNT3OOyeQsThgtVRbbEx8dfvnxZokXcNhJNoIiJ+idiAoVJ9s5D4j8XELKsUxS1YMGCffv2eXSO0Ess02roAQCQgqTc/ry83LjE46KpuYXfM+HJLyoqWrVqFTfqIK5evbpq1SqU1YeFe1oi2iMuITkhxb1oNm9hwnCCqhItEhol3QSyFRMxAZfsnYvEfy4gZ1mXToAOPQAAfMiPa4R5uXGJx3GpufsF8Bo4HI66ujqFQpGfn49SQfT09OTn5ysUirq6OpQim/l3hnZcj7iE5LgU94Rs3rznw6KqCsE1Exol3QSyFT40gZvsnXuhxH8uYAS+FT5gJ+c+COihBwCAx/hyyTAMY7Va5XI5KnZ1daHvU23atCktLa2ysrK+vv6nn34alx5DQ0NarRZl65PJZFqtFv0vCKKpqWnlypWoKOxxeHhYJpPx0i2QN7W+vj6eRegn7qJbJE9ViRbhjJJoAtmKCZpgMBiys7Pj4uKUSqVCoRAmF2HTniv/j0KhYOV7DCFexJhnYOgBAED48pn/mTNnTpw4kZqa6nK5Kisrd+7cSUk4K6Mo6tatW2zGvdraWramtrZWr9eXlpbeunWL25L3tSLRHin/JCTHqSq9mahR08EErVa7fPlyvV5vNBrPnz8vvATlKjcajUaj0WQy4X4MMXECfegBAPgX5BAk/DQnMfE4Ss3t8ayspKSEpunKykqUJZDFbrdXVFTQNF1SUoK65uX/F+3RY0Jyhnhgws3mzbsQp6pEi0SNkmgC2YqJmCAx2bvEfy5gJnwfwwTy0AMAwGPcMYbBJB4npOYmU1hY2Pf/vy0RVaCwsJB9zcvQjuvRY0JyRmyjEc3mzUsYTlZVokVco6SbwEiIMV6bIJrsnZc7XeI/F/B6tFgs3MMontqI3t5e4SeVQBx6AAB4eBNjRBOPE1Jz+wpehnZcjx4TkjNin7Vx2bx5/1/gW6SbwHiKMRMxQTTZO/Pv3OkS/7mA16PT6ZTL5byH5MKrzp07l5qaSnDUszf0APAfYQbDMFNzSDd+Fi1adPr06VdeecW3Yu/cubNkyZKAztw3nU147733zGbzDz/8gGvw+PHjlJSUDz/8cNu2bbg2MPQAEKAEUk5MyNAeiNTX15O/IBASEvLNN9+89tprhDYw9AAQoARkvjIggAgODn755ZfJbcgBBgCAwAViDAAAAOAvAul5DAAAABBYwH0MAAAA4C8gxgAAAAD+AmIMAAAA4C8gxgAAAAD+AmIMAAAA4C8gxgAAAAD+AmIMAAAA4C8gxgAAAAD+AmIMAAAA4C8gxgAAAAD+AmIMAAAA4C8gxgAAAAD+AmIMAAAA4C8gxgAAAAD+AmIMAAAA4C/+B3zlmfsbYYEzAAAAAElFTkSuQmCC) --- **Mirror:** [Click here to view the mirror](<http://1251877.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 6 August, 2020 08:47 GMT ---|--- Vulnerability Verified:| 7 August, 2020 09:08 GMT Website Operator Notified:| 7 August, 2020 09:08 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 7 August, 2020 09:08 GMT Vulnerability Fixed:| 14 September, 2020 15:35 GMT ---|---