logo
DATABASE RESOURCES PRICING ABOUT US

termowood.net Cross Site Scripting vulnerability OBB-1270675

Description

Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[termowood.net](<https://www.termowood.net>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[XSS (Cross Site Scripting)](<https://www.owasp.org/index.php/Cross-site_Scripting_\(XSS\)>)** / CWE-79 CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **xav0 ** Remediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAMlElEQVR4nO3dcWgbVRwH8KzL2pCdWxeys27djHVWkTLDqKFgkVJHkVJCGKVuJcw6xuiGlhLC3IZIKBKlxjJEikj+UBzqH2OMMWRKKSOMIqWWrJZSsyy0MWQVakw1uJgdnn88eBz37i7XJNel2/fzV97lvbvf772XvNxd0m4RRdEEAABggJqHHQAAADyysMYAAIBRsMYAAIBRsMYAAIBRsMYAAIBRsMYAAIBRqneNeeaZZ27fvq1WhGpTJQNUJWGAEW7fvn369GmNCg8ePDh27Njvv/+uc4eYLRugSteYX3755b///nvppZcUi1BtqmSAqiQMMMjAwIDD4dCosG3bttraWr/fr2dvmC0bo8gas7y8/MQTTyg+tba29uGHH6oVy3Tt2jW3261W3BiVzeihW15e3rVrV/n7UewWOkB//vnnW2+9tXv37r1797777rsPHjxYb5Bq802PiswTPTEUnRt0J5Xq9nWpSApVgsb5xx9/zM3NDQ8P06f+/fffY8eOyTIdHh6emJjQs+cNmy2PO1HT0tISx3F6ntKoWQKXy/Xjjz+qFTdGZTN66JaWlurr6yuyH7Zb6AC53e7+/v5UKrW4uNje3n7u3Lnyd65fpeZJPp/XrlA0TlqhUt2+XuWnUCWkPSkNOJ/Pd3R09Pb2yrLQn9eGzZbHXDVeK7t3714sFuvo6FAsQrWhA3T//v3Z2dkvvvhi7969zz///NjY2OXLl9e1K7PZ3NzcXGYYpTWXqqurK3MPNJFyMipH+SlUuZWVlcOHD4dCodKaV9VsecRpL0HkQ8HFixcdDofNZvN6vdlsVhTFbDZL9/Dll19Ki5988gnHcaOjozzP19fXHz9+/J9//iF7m56ebm9v5zhuz549R44cWVhYUDzo559/3tfXxxY9Hs/o6CjZGI1Ga2trSTCiKJ46dcrv92tXOHDggHZzaQyyBEVRzOfzJ06c4Dhu//7977//viAIpHOCwaDdbm9oaAiHw2RLKBRyOBxWq7Wvr291ddXv99vtdpvNNjAwkMvlyP5zudypU6fsdntjY2MgEBAEQU+Cag0VN4qimEqlurq6OI5rbm4OBoPsB2ppwPX19f39/fSIbL6K3cKOF/XNN9+8+uqr+sdd5saNG+uqIA1D8YiCIJw7d47neavV2tvbu7q6SnuAHUT6FDuT2U4oGqrOjKR11DqNzcK4FNSas0cUlSah/peDnjjJG4tihNpbFPu/4rMF1BRfY0wm08DAQDqdjsfjnZ2dg4OD5KnFxUWO4/L5PHn3ocVEImEymXp7e5PJZDweb2lpCQQCpAnP8+FwOJPJJBKJsbGxRCKheNDu7u5Lly6xxXA43NXVRTZ+8MEHZrP5u+++I8WmpqbJyUntCn6/X7u5LAxZghcuXDh69GgikVhYWOjo6Pjss89I5xw/fnxlZeXGjRuLi4tki9frTaVSsVisvb3dbreT3iMfmoaGhsjOT5w40dPTk0wm5+fnDx069Omnn+pJUK2h4kZRFD0ej3QgFNcYkgKJsL29/cyZM+QpNl/FbmHHi1bbs2fP9PS02rjbGbI9NDQ0dHZ2zszMiIzp6enOzs6GhgbpRmkYikcMBoOtra1zc3OpVGpoaCgSiUh7QDqI9A1abSbLOkEjVJ0ZsUmpvVjYLIxLQa05e0RRaRLqfznoiTORSJS8xrATpuKzBdToWmP++usvUpyammpqaqJPKd6PIU2SySTZfuXKldbWVlEUM5mM2WxWvHaZTCYdDgd5nMvlOI7LZDJsMZ1OW61WsgeXy+Xz+fr7+8kRd+zYUSgUtCskk0nt5mzu0gTtdjv92BWNRl0uF8mUhkpzp6cCt27dqqmpoadxU1NTBw4cEEVREASO4+i7xrVr19ra2vQkqNhQbW+CIFgsFulAqK0xdHxv3bpFx5fNV7FbZONFpFKppqYmskCqjXuKIauQy+WCwaDNZuvr64vFYmRjLBbr6+uz2WzBYJCGJwtD7Yg8z8/Ozir2gGwQtWeyYiewobLUqrFJabxY2CyMS0GtOXtExUmo8+WgM07Fd/Oia4zihDFitoCa9d3zl97A1FhjLBYL3b6wsMDzPHl89OhRp9Pp8/lCodDNmzdpHUEQ0uk0eXzlypXOzk76lKzodDonJydXVlYaGxuz2SzP84IghMPhI0eO6KlQtLla7plMxmQy0U/cNpuN5/mi81t2v5cW0+l0bW0t3R6LxegnLO0IFRuq7S2dTssGQu1aGRuhYr6KTWQDRLS1tdFzKVF93PXIZDIej8dsNpOi2Wz2eDz0bUstDPaI2WzWbDbTcy+1HhD1zWTFdxZZqDozUktKsdMUszAuBbXmbFvFSajz5aAzztLWGMW+NWK2gJoNvef/7bffhsPhgwcPFgoFn8/3zjvvkO1bt2596qmnyGPtby13d3dPTExcv369p6dn586dTqczEolMTEx0d3frqVC0uZp8Pl9TUzMzMxONRqPR6NzcXDQarWDP6E9wY+jPl/0C6L179+bm5ujgmlTGfTeD3fndu3fffvvtSCQyMjJCtoyMjEQikTNnzty9e1cjDI2ZVkp36MCGqr+aYlJqKZgMy0JnCpuLYt8+9NnyeNFegko7jzFJTnuvXr1KT3ulotFoY2OjbKMgCHa7nZ5xy4qiKE5NTblcLrfb/f3334uiOD4+PjQ0RD7L66lQtLlG7hzHsdcoSjuPUbu6VTTCcq6VXb16Vf95jGK+bBN2gMhGtTttomTci14rGxwc5DjO5/OR263U6urq8PAwx3H01qBiGOwReZ6PRqPaPSDqm8myVmqh6sxIMSnFFBSzMC4FtebsEdWulek/jykaZ2nnMSLTtwbNFlBT+hqTy+XMZjO9dEuL9PZdKpWan593Op3k9t3CwsLrr78+OTm5urqaTCZPnjzZ09ND90yuh0YikZaWFrpRViR4nud5ntRPpVI7duxwOp36K2g/K70sK0twcHCwra1tfn4+nU6Pjo6OjIyUvMaIonjy5Em3283epS8aoWJDtb2Re/50IOjRaZoaAbP5st2iOECybtQedw1er3dpaUnt2aWlJa/XSx7LwlA7YjAYdLlc5C4u+cDO9oDIvEGzM1lk5oZ2qDozkial0WlsFsaloNZc8Y2VnYTrXWO040wmk9LrabJMqXg8rviDJNq3Bs0WUFP6GiOKYiAQsFqt9DuspEi+YvjRRx/JvoZYKBQCgUBzc3NtbS3P816vd2VlRXYUv99/4cIFun9Zkejv7+/t7aXF1tZWWR3tChrPstNFmmA+nx8eHm5sbLRard3d3YlEopw1Ru3bxkXjL/m7y6FQiBxdGqRGwGy+bLcoDpAsa41xrxRZGGpHFATh7NmzdrvdYrF4PB7pt1Fl8Us/OLMzWdYJlc1FOwXFLIxLQa254hur2neXpXvTWGOKxhkOhy0Wi+wrFWwkly9fPnjwoEbfGjRbQE2RNaYE5XR6c3PzTz/9pFaEalMlA2RQGI/A20eZKWxYD+g80NDQEPsFE6l8Pu9wOMjvddRUyaR9fJg39u5PEb/++qtGEapNlQxQlYQBRguFQtrftamrq7t06dIrr7yiUQezZYNV49+SAQBgbdu27eWXX9auo73AwMbDGgMAAEbZIopiaS3X1tbGx8fPnz9f2YAAAOCRUfoas7y83NLS8vfff1c2IAAAeGTgWhkAABhF1//B/Pjjj5988sldu3a9+eab9+/fN5lMa2trDocjl8tt2bLlq6+++uGHHzYkWgAA2EyKn8fkcrnp6emZmZmZmZnZ2dnR0VGTybRz5076N7e9Xu/AwMBrr732888/Gx8wAABsGrqulY2Nje3bt+/ZZ58dGRm5fv062WixWEwmU11d3datW+Px+OHDh7u6ut544407d+4YGC8AAGwexdcYi8Wyb98+8viFF15IJpNsne3bt58/fz4ejxcKhRdffLHCMQIAwOZUsXv+j+QfBgcAgHIUX2Py+fxvv/1GHsdisf3797N1Tp8+7XQ6GxoaYrEYfjEDAACErr9X5vP5Ll68mM1mA4GAx+MhG+12ez6fv3PnznPPPZfL5ebn559++mkjQwUAgE2m+BrDcVxra+uhQ4cKhYLb7T579izZvn379vfee8/pdI6Pj3/99dcGxwkAAJtPkd/548f8AABQMvzOHwAAjII1BgAAjII1BgAAjFL6310GAADQhvMYAAAwCtYYAAAwCtYYAAAwCtYYAAAwCtYYAAAwCtYYAAAwCtYYAAAwCtYYAAAwCtYYAAAwCtYYAAAwCtYYAAAwCtYYAAAwCtYYAAAwCtYYAAAwCtYYAAAwyv9QSfQD4Mx9EQAAAABJRU5ErkJggg==) --- **Mirror:** [Click here to view the mirror](<http://1270675.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 23 August, 2020 12:15 GMT ---|--- Vulnerability Verified:| 23 August, 2020 12:26 GMT Website Operator Notified:| 23 August, 2020 12:26 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 23 August, 2020 12:26 GMT Vulnerability Fixed:| 16 September, 2020 17:54 GMT ---|---