All Vulnerabilities for kssst.kdor.ks.gov Patched via Open Bug Bounty


Following the coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Affected Website:| **[kssst.kdor.ks.gov](<https://kssst.kdor.ks.gov>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[XSS (Cross Site Scripting)](<https://owasp.org/www-community/attacks/xss/>)** / CWE-79 CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **devl00p ** Remediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: https: //kssst..kdor.ks.gov/webLookupZipResults.cfm --- HTTP POST data: IntZipS=defau1tsIntZip4=<ScRiPt>alert (*wobo4zjtfu' )</sCrIpT> --- Research's Comment: The parameter IntZip4 of the script /webLookupZipResults.cfm --- **Screenshot:** ![kssst.kdor.ks.gov vulnerability](/twimages/screen-2278320.jpg) **Mirror:** [Click here to view the mirror](<http://2278320.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 21 November, 2021 08:12 GMT ---|--- Vulnerability Verified:| 21 November, 2021 08:27 GMT Website Operator Notified:| 21 November, 2021 08:27 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) x. Using Twitter notification| ![](/images/done.png) Public Report Published [without technical details]:| 21 November, 2021 08:27 GMT Vulnerability Fixed:| 15 February, 2022 23:57 GMT ---|---