fluege.de XSS vulnerability

2018-01-29T20:57:00
ID OBB:549459
Type openbugbounty
Reporter ELProfesor
Modified 2018-03-01T10:45:00

Description

Open Bug Bounty ID: OBB-549459

Description| Value
---|---
Affected Website:| fluege.de
Vulnerable Application:| Custom Code
Vulnerability Type:| XSS (Cross Site Scripting) / CWE-79
CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N]
Disclosure Standard:| Coordinated Disclosure based on ISO 29147 guidelines
Remediation Guide:| OWASP XSS Prevention Cheat Sheet

Vulnerable URL:
http://www.fluege.de/?sFlightInput[areaSearch]=TRUE&sFlightInput;[cabinClass]=Y&sFlightInput;[f0][depLocation]=&sFlightInput;[f0][accMultiAirportDep]=&sFlightInput;[f0][depAirport]=&sFlightInput;[f0][arrLocation]=&sFlightInput;[f0][accMultiAirportArr]=&sFlightInput;[f0][arrAirport]=&sFlightInput;[f0][date]=31.01.2018&sFlightInput;[f0][timeRange]=2&sFlightInput;[f1][depLocation]=&sFlightInput;[f1][accMultiAirportDep]=&sFlightInput;[f1][depAirport]=&sFlightInput;[f1][arrLocation]=&sFlightInput;[f1][accMultiAirportArr]=1zqjvo'%22()%7B%7D:/1zqjvo;9&sFlightInput;[f1][arrAirport]=&sFlightInput;[f1][date]=03.02.2018&sFlightInput;[f1][timeRange]=2&sFlightInput;[flightType]=RT&sFlightInput;[nonStop]=FALSE&sFlightInput;[page]=1&sFlightInput;[paxAdt]=x">&sFlightInput;[sortBy]=S&sFlightInput;[storeSearch]=true
Coordinated Disclosure Timeline

Description| Value
---|---
Vulnerability Reported:| 29 January, 2018 20:57 GMT
Vulnerability Verified:| 29 January, 2018 21:11 GMT
Website Operator Notified:| 29 January, 2018 21:11 GMT
Vulnerability Published:| 29 January, 2018 21:11 GMT[without any technical details]
Vulnerability Fixed:| 1 March, 2018 10:45 GMT
Public Disclosure:| 1 March, 2018 10:45 GMT