amphibiaweb.org XSS vulnerability

2017-05-29T20:24:00
ID OBB:242859
Type openbugbounty
Reporter Random_Robbie
Modified 2017-11-26T14:32:00

Description

Vulnerable URL:
http://amphibiaweb.org:8000/cgi/amphib_query?rel-common_name=like&rel-family;=equals&rel-ordr;=equals&rel-intro;_isocc=like&rel-description;=like&rel-distribution;=like&rel-life;_history=like&rel-trends;_and_threats=like&rel-relation;_to_humans=like&rel-comments;=like&rel-submittedby;=like&max;=200&orderbyaw;=Family&include;_synonymies=Yes&show;_photos=Yes&rel-scientific;_name=contains&where-scientific;_name=&rel-genus;=equals&where-genus;=&rel-species;=equals&where-species;=&where-common;_name="'--!>&where-subfamily;=&where-family;=any&where-ordr;=any&rel-isocc;=occurs+in&where-isocc;=&rel-species;_account=matchboolean&where-species;_account=&rel-declinecauses;=equals&where-declinecauses;=&rel-iucn;=begins+with&where-iucn;=&rel-cites;=equals&where-cites;=&where-submittedby;=
Details:

Description| Value
---|---
Patched:| Yes, at 26.11.2017
Latest check for patch:| 26.11.2017 14:32 GMT
Vulnerability type:| XSS
Vulnerability status:| Publicly disclosed
Alexa Rank| 390297
VIP website status:| No
Check amphibiaweb.org SSL connection:| (Grade: F)

Coordinated Disclosure Timeline:

Description| Value
---|---
Vulnerability submitted via Open Bug Bounty| 29 May, 2017 20:24 GMT
Generic security notifications sent to website owner| 29 May, 2017 20:27 GMT
Notification sent to subscribers (without technical details)| 29 May, 2017 22:17 GMT
Vulnerability details disclosed by researcher| 10 July, 2017 21:15 GMT
Vulnerability patched by the website owner| 26 November, 2017 14:32 GMT