logo
DATABASE RESOURCES PRICING ABOUT US

vpn.sicis.co.jp Cross Site Scripting vulnerability

Description

Open Bug Bounty ID: OBB-956285 Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[vpn.sicis.co.jp](<https://vpn.sicis.co.jp>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[XSS (Cross Site Scripting)](<https://www.owasp.org/index.php/Cross-site_Scripting_\(XSS\)>)** / CWE-79 CVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **Spam404 ** Remediation Guide:| **[OWASP XSS Prevention Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAASeUlEQVR4nO2df0xTVxvHr6XWAuVXLVWhToobI8wwpo6hU7doshhHCNsQM8cUkbBK0BHGHBjiWHVonBhFQ/hDFyVGzeIIEuOcI2Zrus6hsto1DBsktbLqoKKwymot3PeP8+7kvvfce3uBFru9z+cvzrnnnOd7zn3ah3vuvU+n0TRNAQAAAEAQkDxtAQAAAMC/FogxAAAAQLCAGAMAAAAEC4gxAAAAQLCAGAMAAAAEC4gxAAAAQLAI3Rij1Wpv3LjBVwSYhPjihLg84B/KjRs3tmzZQtaDv4UUIRpjfv3117GxsRdffJGzCDAJ8cUJcXnAP5fCwsKkpCRWJfhbqOEnxty+fTsqKorz0NDQ0J49e/iKk6StrS0nJ4evGFQEpiyywZQpQUzl4iDGda6nUt6DBw82bdoUHx+fmJj4ySefPHnyZGrs/vsQ6XsT/tRP+EOELd6/f99isZSXl7MaMP3t8OHD8+fPnzFjxksvvfTNN98wrU/7m7CwMK1Wu2vXrtHRUfIo5tChQxNQC1AURdGC2O12hUIh5pBAywmQmZl56dIlvmKw8Xg8k2wwZUroKV8cepzneirl5eTkrF+/vq+vr7u7e9myZVVVVVNj91+JGN+b8Kd+8h35RsD+1tDQkJSU1N7e3t/ff+rUKaVSaTAYmIN4PB6PxzMyMmI2mzMzM/V6PXkU4/P5JqAWoGk6FGOM0+mMjY31er2cRYDJU1kc8ed6KuWNjIxoNBq3242KHR0dzz777BTY/X8m1GIM098SEhIuX76MDx08eDA7O5vPutFoTEtLm6Q2gBNR92MOHTqk1Wpnzpz5/vvvDw0NURQ1NDSUlJTkdrunTZt24sQJZvHAgQNRUVFffPHFrFmz4uLiNm7c+Ndff6Fxrl69unz58qioqMTExHfeeee3337jNNfW1vbGG29Mnz6dVVy3bt3nn3+Omy1ZsuTEiRPoops0h+rr6+u1Wm1cXNx7772HlLMgJbGu4kdHR6urq2fNmhUZGbl27dr79++zGvidFDkCRVGPHj364IMP4uPj586d+9lnn+HrdCbIEN8EybVCLffs2RMfHz9nzpxjx45RFPX48ePNmzdHRUXNmzfv008/HR0dZa5MZGTkunXr7t+///HHH8fHx8+cOXPTpk2PHj1Cg3OKZJ16ThOc8viUMAVzToFTCdkyPDz8zp07kZGRqEtPT09CQgKfPDGmxS8Unw/cvXv3zTffjIqK0mq19fX1cXFx5FkeL99++634BpzC+FyanDsahM8DSU/g1Hb16tUlS5aEh4fHx8evXbv2999/J9uIPEdMi19//TU5Dva3oaEhp9O5bNkyfGjFihVdXV18iyaXy30+n/DCAhPDf4xxu91ms9lkMnV0dDidzqqqKoqiYmJiuru70RVlQUEBs/jWW2+53e6Ojo5r165du3ats7Nz3759aKjs7OzCwkKHw2E0GpctWyaXyzkt8t2Myc/Pb21tRZV37941m825ublIIac5t9ttsViQcofDsWPHDtKWX0n79u1rb29vb2+32WwJCQmkm05shG3btjmdzs7OzosXL7a1tTU2NgqfAs4Jkmvldru7u7utVuvx48fRB0yv14+MjFgslosXLxoMhqamJurvc2o0Gs1ms9PpTE1NdblcFovlypUrdrsdLxSnSNap5zNByuNTwhJM1vAp4WyJuHnzZmVl5f79+wXkiTEtcqH4fKCsrEwmk/X09LS3tzc3N2N58QQCZ59FYWHhqlWrrl+/Th66evXqqlWrCgsLcQ2nME6HFFhMiscDSU/g1NbZ2VlSUnLv3j2r1arRaMrKykjlIs8R63uGHAf7m9vtlsvl+P9UiqKio6OHh4c5l3RgYKCmpgZ9mQCBR/gyx263UxQ1PDyMiiaTKTk5GR/i3CtDXRwOB6pvaWlZvHgxTdODg4NSqZRzk9fhcCQlJaG/3W63QqEYHBwkiyMjI9HR0WjkxsbGnJwcAXMs5UajESvHcEpizUutVnd2dvI1EJiUwAg+n0+hUPT29qJiW1tbVlYW2REZ4psguVaoJS4iVCoV3j5C+86o2cOHD1Gl0WiUSCQjIyOoaDKZ0BaTgEjWEpEmOOXxKWEK5pwCpxLOloi+vr7k5OQzZ84IyBNjWuRC8fmAz+eTy+VYdktLS2xsLFbIgpwFH263u66uTqlU5ufn22w2VGmz2fLz85VKZV1dHZ4snzBOlybnjk+xgAeyPIFTG5Oenp7Zs2eTHUWeI1pwr4zpb+TR3t5evP5oZJVKpVKplEqlXC7X6XR4oZhHEWVlZeRcAJFI/QYhhUKBr5oTEhIGBwf9dpHL5XPnzkV/p6amOhwOiqLi4uLy8vKysrJWrlyZkJCwePHi1157DQ9rMpnQ35cuXcrMzMS7CsxieHj4mjVrWltbt27d2tLSgv9f4zTHUq7RaEjlApIQQ0NDg4OD6enpfDOd2Aj9/f1er1er1WLNyK354Jsga63QlJnFBw8euFwu/Hzn2NiYVCpFzWJiYvDKREdHh4eHo2JCQoLL5RIvks8ES56AEtYOElnDp4RsicjLyysvL1+3bp2wPDGmxSwUnw/09/ePjY0xZeNhExMTSdnMq5mBgQHOGoqiIiMjq6urdTpdUVFRWloaenYuLS0tOzu7t7cXq+UTxufSfIuJ4PNAFpzafvnll+3bt3d1dXm93rGxsbGxMVavcZ0jAZj+JpVKWXtfzGEpioqIiDCbzRRFSSQStVodFhbGbIyP4qJIDQCJ/xgTQE6fPn39+nWr1ep0OisqKpYuXXr48GGKosLCwubMmYPaCD+1nJ+ff+TIkYKCgo6OjpaWlmBIqqysZLVh+Z/ISYkfYcL4fSzY4/FIJJJr167hT5dEIvF6vQHUwGmClDcFShB37961WCw//fSTX3kBRIwPMCE3xwYGBphfagiyBnHr1q2dO3caDAa9Xo9q9Hr9/v37S0tL9Xr9/PnzBYTt3r2bCppDcmrLzc0tLi5uamqSy+V9fX2rV69mdQnUOWL6G9pPe/LkCd4uGx4ejo6Oxo0lEglnpBdzFBgfwpc55IYY83pTzF5Za2srvrJmYjabNRoNq9Ln86lUKry9wCrSNO3xeJRK5cGDB99++21sl9OcgHI+kCRyr8xsNgusid9JkSNMZq8MT5BcHE5hCoVCYK+PJlYGF8XvlZEmOOX5VcI3Bb69Ms6z4PP5mEb55IkxLXKhWGAfQHtldrsd1Qdqr0yn0ykUioqKCpfLxax3uVzl5eUKhUKn03F2xMLEuLTAXhnzE83qSGrr7++XSqVMDWgRxLgQ5ynm2ysj/Y31XFlDQ4PAc2V+7QITZuIxxu12S6VSvOuKi8gj8/Ly+vr6rFZrRkZGbW0tTdNdXV2rV6++fPmyy+VyOBzFxcX4lNN/P4xvMBgWLFiAK1lFxPr166Ojo7/66issidOcgHK88copidWxrq4uMzPTYrH09fWVlZUZDAZmA75JMTfByRFomi4uLs7JyXE4HFardeHChQ0NDSxt9P/GGHKC5OJwfjZ0Ol1WVhb6T3bfvn16vV78VyefSNapJ01wyvOrhG8KnEoEvghYdyA45QUwxgg4dl5eXm5urt1ut1qt6enpfv/LEUNBQQGOWyR2u72goAD9zSdM2KXJufN5IE14Aqc2tVrd2Nj48OFDm82Wm5uLFmF4eFgqlXZ3d6P3TkSeI6ZFh8Mhl8txPelv+P0Yl8t15swZ8v0YgTWE92MCyMRjDE3TtbW1ERERx48fZxbr6+sVCsXevXvVanVsbOyGDRvQbVKv11tbW5uSkiKTydRqdUFBwb1791hWKisrd+zYgcdnFRGtra0KhQLfekV9SXN8ypn1nJLI/4+2b9+uUqnkcnlubq7L5Zr8CDRNu93ukpISlUql0Whqa2uRB3NeGvJNkFwczk+Ox+MpLy/XaDQRERFr1qzp7e0VH2M4RZKnnjTBKc+vEr4pcCrha0leXnDKC2CMEXDse/fuZWdnKxSKpKSkvXv3BiTGiIdPmLBL49kxYwynByJYXwIkBoNh8eLFcrl89uzZFRUVeBGqqqqEXYjvFCOLR48elcvlOLxxflc0NDQkJyfLZLKMjIwLFy5wzo6E877jwYMH+doDwviJMRNgMleaKSkpV65c4SsG3FyIw4wx5FExi/MUCXF5U093d7darX7aKiZCyH7Etm3btnLlSvQ3+FvIMqX3/P1y8+ZNgSLAJMQXJ8TlTT1mszk5Oflpq/hXsX//fvxYBPhbyBKieZf/cWi12uvXr7/77rt//PGH+C4CGcifPHliMpk0Gk2ABAJPgV27dh07dmxgYODnn3/esWOHTqd72or+VUyfPv3ll19+2ioAP0CMCQAonfiiRYtkMhn56LNAF4EM5CUlJWVlZXV1dYGTCUw1r7/+emNjo0ajKSgo2LZt28aNG5+2IgCYcvzuptntdolEgh/JwJX4FjpzNI1GU1VVhXMgct5LZN75RM9+REREZGZmtre3s1oKjMx3N8+vUeHp0DTNuUoKhaKrqwu3P3nyZEpKCr4Hvnv3bvQmcGdnJ3qN2S+4y2QQs1H+8OHDurq6SRoCAACYGKJiDEVRycnJONkDTTymhbNkW63WpUuX1tTU4GYCX/coTqBnK8+ePatSqYxGI7Ml38gCWbv9GhWeDk3TyGJ3d3dsbCx+crG8vHzDhg24fXp6OvNBGpxOXPzd0UBlvPebgD1kb9gCAPD/gKgYExERsXDhQua7XZyPAiNMJlNqaipuJvB1z3pJqqmpifnGjMDIAlm7/RoVng5fjdPpRI940TR94cKF5ORkfBHDTCcu8gt9KjPeQ4wBAOApIup+jEQiaW5uPn78+Hfffee3sUwmE5MjhEy+XVRUdOTIEb8jjzdrN8m4poOYM2dOYWEhSje7d+/eqqoqnI2D9UsEnLBynjO7iMy+TvGno6cmnX0dAAAgSIi95//CCy/U1tYWFRVx/goL5sGDBzt37iwuLvY7IJl8e/r06fPmzfM78riydvMhcjpMqqqqTp06de7cObvdzkyfLpw0jEy3zuoiPvs6JZiAfTLZ1wEAAIKF3ysdvNni8/mysrLQbQnWPX+cJVsikaxevZrsy6whN9kqKyvRCMz0+3wjk2Mys3YLG/U7Hc4uGJ1OJ5fLGxsbcQ2ZXR+b5ky3zuoiPvs6XhDOBOz2wGVfBwAACCDjeHY5LCysubn57Nmz586dY9ajPNhms9lisXz//ff9/f2HDh3yOxoz+XZNTY3ZbD5//jwr/T7nyH6zdk9yOgKUlpZSFFVUVIRryOz6mLS0NK/X29vbW11djX+ckdUFZ1//6KOP6uvrf/jhB0rwBwUEUp2PK/t6T0+P1+tNS0sTOXEAAICJMb73Y5577rm6urqSkhL0yxn/HUIiSfyb5cuXNzQ04F91jIiI8Hg8zB/fdbvd6McYcPJtiqJiYmISExNlMhnrdxo4R2Z2RLCydgsYFTMdAaKjo6VS6YwZM3CNwEaZXq83GAylpaW3bt1i1rO6nD59+ujRo+np6V6vt6KiYuvWrag+qNnXUSZEnH0dAAAgSIz7HcwPP/wwLS2N8wdTEczrjPj4eKVSeeXKFXzUYDCg/9BjYmKYP01GUdTly5cFfg0Mj4w6Go1GXG80Gpn/kgsYncB0BBgdHT1//jxfjKmurrbZbGq1OiMjY8uWLQJdFi1atHHjxurq6i+//LK1tTUmJkapVAqkAODE4/HcuXMH/W2z2Z555hnOZlu2bMnIyJg9e7bNZquurh6XCQAAgHHjdzeN8/6HQqEg34/xeDxdXV0rVqwoLS3FjY8cOZKSkmIwGNBLMEqlEr8Eg9+P6e/vP3nypFKpNJlMLLucIwtk7fZrVHg6TOvk/RhWXzKdeE9PD2cvnG6d1UV89nVO5az7MRPOvg4AABAkJhJjaJpuamrifM9frVaXlJQMDw8zGx84cCApKUkmky1YsKClpYV5CEULmUy2cOFC5isvfkcWeM9f2KjwdJjN/MYYMp342bNn09PTSTF8XcRnX+dUzowxk8m+DgAAECSm0TzZUwC/PP/8883Nza+88goqPn78ODU1taamZvPmzSK7BIrbt28vWLDgzz//DOywAAAAkwRiTCD58ccfX3311am3CzEGAIDQBPIuB5KnEmAAAABCFogxAAAAQLCAvTIAAAAgWMB1DAAAABAsIMYAAAAAwQJiDAAAABAsIMYAAAAAwQJiDAAAABAsIMYAAAAAwQJiDAAAABAsIMYAAAAAwQJiDAAAABAsIMYAAAAAwQJiDAAAABAsIMYAAAAAwQJiDAAAABAsIMYAAAAAwQJiDAAAABAs/gMry/qt0jHsvwAAAABJRU5ErkJggg==) --- **Screenshot:** ![vpn.sicis.co.jp vulnerability](/twimages/screen-956285.jpg) **Mirror:** [Click here to view the mirror](<http://956285.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 5 September, 2019 07:36 GMT ---|--- Vulnerability Verified:| 5 September, 2019 07:45 GMT Website Operator Notified:| 5 September, 2019 07:45 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 5 September, 2019 07:45 GMT