logo
DATABASE RESOURCES PRICING ABOUT US

r20.com Cross Site Scripting vulnerability OBB-1276451

Description

Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[r20.com](<http://r20.com>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[XSS (Cross Site Scripting)](<https://www.owasp.org/index.php/Cross-site_Scripting_\(XSS\)>)** / CWE-79 CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **geeknik ** Remediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAPlUlEQVR4nO2db0xb5RfH7xirhV4GlFK20gnFBQkhSHBBXmCcG9kIElIZMnUdMCXKFlzYMnVlC1Zc2MQxlUzjCzWMN+6FIZMQMwmZpiEEGWKtFVnDGHS1NNjyZ96x0hXu78XN78nd/dfbQtcxzudVn+fee+73ec4dZz1tz9lAkiQGAAAAACEgItwCAAAAgMcWiDEAAABAqIAYAwAAAIQKiDEAAABAqIAYAwAAAIQKiDEAAABAqHgkYoxGo/njjz/4ho84a0stAADAwyT8MebPP/9cXl5+5plnOIePOGtLLQAAwEPGT4yZnJyMiYnhPDQ/P3/27Fm+oXi6urpKS0v5hnT+/fffAwcOJCQkJCcnHzt2bHFxkZp3u90HDx5MTExMTk7W6/X3798PQkZwILWzs7OHDh2iNLz//vtBazh27FhUVNSlS5cCugq5aXJyMj4+PrhbB4fAE0In6McDAIA1TfDvY+bm5pqbm/mG4hEfYyorK6VSqcViMRqNZrP59OnTaH55edlkMl27du2XX35pamoKQkZwILXV1dVer5fS0N/f39jYGIQ1t9vd1tY2MDCg0+lWW2moSElJcblcfk8L+vEAAGBtQwoyMTGB47iYQwJnCuBwOOLi4rxeL+eQDkEQUqmUIAhqODg4uH37dmo+IiJibm6Omu/r60tPTw9URnAgtQsLC2q1mq0tUILbQ5Ik7XZ7bm4u9SIvLy8IC6Em6KUBALCmEfU+5vPPP9doNAkJCQcPHpyfn8cwbH5+PjU1lSCIDRs2XLp0iT68cOFCTEzMJ598kpSUFB8fX1VVde/ePT7LXV1de/bs2bRpE2NIZWDOnj2bmJi4devWb775RiaT3bt3TyaTUWd6vV6JRIJhmMvlio6Ojo2NpebVavX09DTjLktLS3q9PikpSSaTvfLKK263G8Owu3fvvv3224mJidu2bfvwww+Xlpaw/2d+WltbNRqNTCbbv3+/2+1+9913ExMTExISDh06dPfuXbb4qKio27dvI21jY2MqlQrDsH/++Wfv3r0ymeypp5769NNPhbNYbrebvqWc8vhkJycn//bbb9SLX3/9lTrzp59+EnYrOuH69evPP/98TExMcnLyvn37/v77b759Y/uFniujXrNdz3hahFUBAPA44T/GEARhMpn6+/sHBwcdDsfJkycxDIuNjR0dHcVx3OPx6HQ6+vDll18mCGJwcHBoaGhoaGh4eLilpYXPuECijCCI0dFRi8XS3t5eUFDAuPDMmTOVlZUiF9nS0tLb29vb22u1WlUq1cjICIZhR48edTgcw8PDV69e7erq+vLLL+nr7evrM5lMDocjIyPD5XKZzeaBgYGJiYmGhgY+8RQ3btw4ceLE+fPnMQyrq6vbvHnz6OhoT09Pe3s7OieRBYZhCQkJ9C3lk8c3z6a6unr37t1U7GFw/fr13bt3V1dXU8OSkpLq6mqbzdbX11dQUCCVSgX2TdgvnK5nPC2CvgIA4PFC+G3OxMQEhmF37tyhhv39/WlpaegQZ66MusRms1HznZ2dO3bsoF7bbLbU1FR0CUEQOI7PzMywh5QRdIiBwWAoLCz0+XycMuLi4hjnK5XK4eFh+ozP58NxfHx8nBp2dXXl5+ej+9IzbxEREQsLC2j5KAnGEE9ht9vT0tIuX75M3UIqldL3AQmzs2DsIZ88vnlOCIJobm6Wy+UVFRVWq5WatFqtFRUVcrm8ubmZSu7NzMxERkZ6PB62Bfa+sf1C338B10OuDADWJ5F+gxCO4ygZolKpZmZm/F4ilUq3bdtGvc7IyLDZbOjy/v5+dFpPT09eXh7KIDGGOI5zJpd++OGHjo6OwcHBjRs3+lWCYdj8/PzMzEx2djZ9cnp62uv1ajQaJJL6+0jdl55527x5c1RUFNKPPt9mqKUoLy+vr6/fv38/dQsMw+j7gE5LTk4W1swnT0A2G5lMptfra2tr33jjjczMTOqrbpmZmSUlJePj42iN8fHx5eXl+fn5u3btUqlUO3bseOGFF/j2DeP3CwWf6wEAWJ881N/HbNy4cevWrWgo/htliL/++qu2trazszMhISHQWwd0vl/Yaqempsxm8zvvvOP3Ws5cWSi4efNmXV2d0WhE37VramoyGo1Hjhy5efMmOu277777+uuvs7OzvV7v8ePH6UtY9X0DAGBdEZIY4/F4bt++Tb22Wq1PPvkk+5ylpaXu7m70Z5ox5GR2dlar1V64cIH+m0eFQrGwsEB9EwHDMLvdrlQq6VfFxsbK5XLGT/GVSqVEIrl16xY1HB0dTU1NFb9ATrVKpdJisdCHGIbR9wEdMrFg2OeTF5Dsw4cP5+TkbNmyxWq16vV6alKv11utVqVSmZOTc/jwYXTys88+W1VVpdfrv/322ytXrmA8++YXMa4HAGAdIZxKE/i0gyCIyMhIlOhHQyp7U15ebrfbLRZLTk6OwWBAFlDe32g0ZmVloXnGkJ2+9/l8hYWFR48e9dCgDhUVFel0OofDYbVaCwoKTp8+Tb8RSZLNzc15eXlms9lut1P/rydJsqamprS01GazWSyW3NzctrY24fXShwy17NVRaLVa+j6wPyhiQL87pzyBeTY6nW5iYkLgXjqdjiTJkZGRoqKia9euuVwum81WU1NTUlLCt29sv7A/j+F0PeNpAQBgnRB8jCFJ0mAwREdHt7e304etra04jp87d06pVMbFxVVWVqLPzOnWTpw40dDQgEwxhpx/yxjRESmZnp5+/fXX5XK5SqU6efKk1+tlXO7z+d577z2FQiGVSrVarcvlIkmSIIi33npLoVCo1WqDwSDmGwRoyFDLeTJJkna7fc+ePdHR0WlpaefPnw8oxnDKE5gPGq/XazAY0tPTJRKJUqnU6XROp5M6xN43vzGGz/Uk62kBAGA9sIEkydV9YzQ5OZmVlfXff/8Jn/b00093dHQ899xznMNHnCDUTk5O5uTkzM7Ohk5V2BHpegAA1g/+v1cWIm7cuCEwfMRZW2oBAADCRZjrLq/pqv6PK2H3QtgFAACwWoQzxqzpqv6PK2H3QtgFAACwiqx+jElJSRGZkQ/i9zErR2Qt+lW3k5KSEuiHMWGph0/3wuLi4muvvSawTMYmiHe9SAFBI8Y7D2F7w9hzAQAeEcL5PiYsMWYNEZZ6+MgLi4uLRUVFPp9P4GSRhf2DE7ASxAiDdgMA8BAIW4yZmpqyWq07d+7kHAJhge4Fp9NZWFhIFfcU4IknngiRgBWyusKCIzIyMj09nf4CANYb/mMMu/A7u8A7xlM/XwC+qv6YYNV9zpYBi4uLb775ZkxMTEpKygcffLC0tEQv0R8fH3/gwAFUCIDi448/ZthhZFfoyY2pqamXXnopJiZGo9G0trbSkx5sO8L62fb5pDLq4X/xxRd79+5Fl586daqqqoqxpez7cnpKYDl0L6SkpJw6dUrYifRFcTYIEN9fgC2A06CYdgPYg0kqke0GxEu9deuWTCb7/fffMQxzu93x8fE///wz5yWcPRcAYF3hP8ZwFn5nF3jnrAMvUJhLIFEmUHWfs2VAU1PTwsKC2Wy+evWq0Wj86quvqJPNZjPVksBms9Fr8hMEMfR/hFsPUNTV1UkkkrGxsd7e3o6ODr92xJffR3bYUhn18LVardFoRJ92dHV1lZWVMexw3pftKb7lsJ0SEJzPifj+AmwBnAZD125AvFSNRtPQ0FBfX49hWGNjY3Fx8Ysvvog9xDJ0ALCWEP6JJmfhd87C++w68CR/EXuBqv7CVfc568YrFArUg9JkMuXl5TFaEvT19dFbEnDa4fuFP1WiH+lBJfr57Ajo57QvLJV+SX5+/vfff4/mGU7hvC/bU3zLYTuFUwMDdJSvQYDI/gJsAXwGxbQboAsT324gIKlerzcjI8NgMCgUClQWge9pB4D1jJ/fYPIVfmcUeOerA89XxF6gqr9A+XrOuvGzs7MulwuVhlxeXo6MjMQebEmgVqvpLQkCqj8/PT29vLxM1yNsJ6Dy+xQCUulotdru7u59+/Z1d3cXFxczPm/guy/DUwLL4exWIBK+50RkfwG2AE6DIW03EJDUTZs2Xbx4sbCwsK2tLSkpiZr027IBANYh/nNlAoXfGbDrwPNlD1bxG2UejyciImJoaIgqYGw2m9lljB8PysrKfvzxRwzDuru72YmylbPCL3TxPSci+wuwBfAZDF27AfFSMQxzOp0RERFOpxPNQK4MADgI6F2PyWRSq9Wc+ROlUmkymRiTnNkDn8+nUChQuoY9FJMru3LlCkp64DjOzp/wlbbks3Pnzp2IiAh6zoqeK0MFjPlyZcgOn34++8JSGfuclZXV29sbFxeH7CD4cmXs8tWcy2F4gW8nRR6lnhOSJGtra3EcP378OFWHFOFyuerr63Ecr62tRcI4BTAMsh8zTg18uTL6Y8O4ULxUkiTn5ua2bNly+fJluVw+MjJCTUKuDADY+IkxnIXfOf9Vc9bP50S4qj/JX3Uf46kbX1tbm5+fb7FYHA5HS0tLU1OT3xjDaScvL6+mpsbpdFI9AtAl5eXlWq12YmLCYrFkZ2fTYwynHb7y+5z2xXdPIEmysbExOzsb1d4nH+wmwL4vp6c4l8PXrYBtgX5HdJSvQYDI/gJsAXwGxbQbIFkxRky7AfFSSZI8cuRIRUUFSZJnzpzZuXMn31UAAPiJMZyF3zn/VXPWz+dEuKo/KVh1n7NuvMfjqa+vV6vV0dHRxcXF4+Pjft8ctLS0sO2MjY3t2rULx/HMzMy2tjZ0idPpLCkpwXE8NTX13Llz9NjAaYev/D6n/YC6J1BpQDRkf2rNuC+npziXw9mtgFMe51CgQYBIGAL4DIppN0A+GGNWvd3A0NAQjuPUeyOPx5OamtrR0RGQBQBYPwSWK1sV0tPTBwYG+IZ8CCdtHhqjo6NKpTJcdycIQiqVMr5DtRLQckR6gcEqOiU4AX55RB4bAFi3hKG2/5qu6m8ymdLS0sJ1956enoKCglWsfIWWE3YvhF0AAAChIGz9Y9YQH330kUqlKi0tHR8fb2hoaGxsDIuM+fn5ixcvvvrqqyu0s1rLuX//fn9/v1qtXqEeAAAeZ8L9RkosYUx6GI3G3NxciUSyffv2zz77LCwaSJKUSCRlZWXsnyUGymotp7q6Wi6Xd3Z2rlBPSIFcGQCEl9XvtQwAAAAAFGHugwkAAAA8xkCMAQAAAEIFxBgAAAAgVECMAQAAAEIFxBgAAAAgVECMAQAAAEIFxBgAAAAgVECMAQAAAEIFxBgAAAAgVECMAQAAAEIFxBgAAAAgVECMAQAAAEIFxBgAAAAgVECMAQAAAEIFxBgAAAAgVPwPDpkSS3hbfVsAAAAASUVORK5CYII=) --- **Screenshot:** ![r20.com vulnerability](/twimages/screen-1276451.jpg) **Mirror:** [Click here to view the mirror](<http://1276451.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 25 August, 2020 16:00 GMT ---|--- Vulnerability Verified:| 25 August, 2020 16:09 GMT Website Operator Notified:| 25 August, 2020 16:09 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 25 August, 2020 16:09 GMT Vulnerability Fixed:| 1 October, 2020 21:23 GMT ---|---