Open Bug Bounty ID: OBB-1155750
Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:
      a. verified the vulnerability and confirmed its existence;
      b. notified the website operator about its existence.
Affected Website: |
unitheque.com |
Open Bug Bounty Program: |
Create your bounty program now. It’s open and free. |
Vulnerable Application: |
Custom Code |
Vulnerability Type: |
XSS (Cross Site Scripting) / CWE-79 |
CVSSv3 Score: |
6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] |
Disclosure Standard: |
Coordinated Disclosure based on ISO 29147 guidelines |
Discovered and Reported by: |
ark1nar |
Remediation Guide: |
OWASP XSS Prevention Cheat Sheet |
Export Vulnerability Data: |
Bugzilla Vulnerability Data |
JIRA Vulnerability Data [ Configuration ] |
|
Mantis Vulnerability Data |
|
Splunk Vulnerability Data |
|
XML Vulnerability Data [ XSD ] |
|
Vulnerable URL:
![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAJYklEQVR4nO3cX0hTbRgA8JP/3ebm1E3mny+1UhGpUbIkjELCQkQmGYJZKkl2ISGilV7Y8kLDf5FBRFBYN3URIcMLkSExZIXZmGuYDjE31xSZU+uoaznPd3H4Doezc842c7nPnt/V3rP3fd7nPO9pbztndQDDMAQAAADwg6C9TgAAAMC+BXsMAAAAf4E9BgAAgL/AHgMAAMBfYI8BAADgL7DHAAAA8JfA3WNSU1MnJiaYmiCgwOoAAGgF6B7z+fPn7e3tY8eO0TZBQIHVAQAw8bDHmEymqKgo2rfW1tY6OjqYmr9JqVQWFxczNQMQpVDkarDUcH/YldXxU5X8EXZnMVdWVqqrq0UiUWJi4u3bt3/9+rW7WQEQmHb+PWZ1dbW9vZ2p+Zv+d3vMwYMHbTYb0dzdagS4wF+dQFBVVeV0OnU63cjIiEajaW1t3euMAPgTAvFe2cLCgtFoPHv2LG0zYIWHh+91Cnvg/7I6e2tzc1Or1T59+jQxMTEjI6O3t/fNmzd7nRQAf4JXe8zDhw9TU1NjY2OvXLmytraGIMja2lpKSgqKogcOHHjx4gW52dvbGxUV1dXVFR8fLxQKKysrNzc38TgfP348ffp0VFRUYmLixYsXv3z5QjudUqksKCgIDQ2lNEtKSrq6uvCDExMT4eHheDIIgtTW1jY1NbF3OHLkCPtwcg6U+yEmk0koFBLHe3p6UlNThULh5cuX8SDk/pTiMNUQQZCfP39eu3YtKirq4MGDd+/edblc+PFv376dP3+ey+UeOnTowYMH5KndU2KJQ+ZyuZqbm+Pj47lc7qVLl5aXlxEEWV9fr62tFYlEycnJ9+7dwweSz5HL5ZaVlS0vLzc1NYlEotjY2Orq6vX1dffFwkd1dHSIRCKJRPLs2TOWxGiT8alKtNP5FNZj3fApaK9kpphMQyIjI+fn57lcLt5tZmYmISHBfY0A2H887zEoiup0Oo1GMzY2ZrVa79y5gyCIQCCYmpri8XgOh6OiooLcLCkpQVF0bGxsfHx8fHxcq9V2dnbioYqKiqqqqsxm8+joaF5eXkREBO2MTDfKioqKVCoVfnBwcHB7e3toaAhvqlSqwsJC9g5yuZx9uJclQ1FUr9fjBTGbzS0tLZQOlOIw1RBBkLa2to2NDb1ePzQ0pFarnzx5gh+vq6vj8/lTU1PDw8P9/f0eU2KKQ9bZ2alSqVQqldFoTEhImJycRBDk5s2bVqtVq9UODQ0plcrHjx8T56jT6UZHR3U6ndVqzczMtNlser3+w4cPc3Nz5FMmLxaKolNTUwaDob+/Py8vjyUx2mR8rZL7dD6F9aZuTFcyS0ymIYTp6enGxsbu7m6PywrAfoCxmpubQxDk+/fveFOj0aSlpRFv8Xg8ck+8iQ8xm8348bdv3+bk5GAYZrfbQ0JCHA6H+yxmszklJQV/jaIoj8ez2+3uTavVyuFw8AgymayhoaG8vByfkc/nO51O9g5ms5l9OOXEKWcXHR3tXpDR0VG8IEzVYK9hXFwciqL4a51OJ5PJMAzb2tqKiIggF5CYmjYlpjgUYrFYq9WSj2xtbfF4vNnZWbypVCpzc3OJhFdXV4lzDAoK2tjYIPI/fPiw++rgo4iFY0/MPRlfq0Q7nU9hPdaN6Upm/0NBO4RgsVjS0tJev36NAfB3CPG4CfF4POIWTUJCgt1u9zgkIiIiOTkZf52ZmWk2mxEEEQqFpaWlubm5+fn5CQkJOTk5Z86cIcJqNBr89fDwsEwmI+4CkZsSiSQ9PV2j0WRlZVmt1tbW1vT0dJfLpVKpzp07Fxoayt4hOTmZfbjH83IvSFJSkjcFoa3hysqKzWZLSUnBj29vb4eEhCAIsrS0hCAIuYDswZnikK2trdnt9qNHj5IPLi0tOZ3O1NRUYiL8IxJPWCAQEOfI5/MjIyOJ/IlfN1AWi8fjEa9ZEqNNxtcquU/nU1gv60Z7JbPEZBmCKy0tra+vLysrQwD4O3jeY3bRq1evPn36ZDAYrFZrQ0PDqVOnHj16hCBIcHCwRCLB+7D/oqywsFClUs3OzhYVFQkEAqlUqlaryXe62Dt4HP4nORyOoKCg8fFx4qMtKGgnP8HwPk5wcPDOUmXC/osy9sS8TMbXKnl/jrtVf+8tLCzo9fr379/7dRYAAopf/lA5HI75+Xn8tdFo/Oeff4i3Tpw4UVlZ2dzc/Pz584GBAcpAl8s1ODhIfGxRmsh/j2SIjza5XD4wMPDu3Ttik2Dv4HE4ISYmZmNj48ePH3jTYrHsTmlIJBIJh8Ox2+2J/8E3WrFYjCAIuYDsKTHFIRMIBDExMZR/ii8Wi8PCwr5+/Yo3p6amiL/Ue8N9dbw8QdpkfA3izqewXkZmuZKZsAwRi8UGg8HL9ADYJ9hvpbE8A0BRNCQkxGg0Upr4/ZbS0lKLxWIwGKRSqUKhwDBscnLywoULIyMjNpvNbDbX1NQUFRURkfHHJGq1Ojs7mzhIaeLEYrFYLMb7WywWPp8vlUq978D+LvlxkUwmq6mpWVxcNBqNeXl57A9FKMfJxWGp4Y0bN3Jzc/Evdp2dnW1tbfhxuVxOLiDRnzYlljjk02lvb5fJZHq93mKx1NXVqdVqDMNqamqKi4vNZrPBYDh+/HhfXx97wuQmZXUoo9gTc0/G1yrRTudTWKbIRNGYrmSWmExDCLTPIwHYx3a+x2AYplAoOBxOf38/udnT08Pj8e7fvy8Wi6Ojo69evYo/LnY6nQqFIj09PSwsTCwWV1RULC4uUmZpbGxsaWkh4lOauPLy8tLSUqKZk5ND6cPegeVdysnOzMzk5+fzeLysrKy+vj6f9hhycVhq6HA46uvrk5KSOBxOYWEh8fjdYrEUFBRwOJy0tLTu7m6iP21KTHEo825tbd26dSsuLi4iIkIul9tsNgzDUBS9fv16XFxcUlKSQqHY2tpiOUdKk7I6tB/6TCfonoyvVaKdzqewtJEpP9agvZLZ9xjaIbSzA/A3OIBh2O5+MTKZTNnZ2cQtHZ9kZGS8fPny5MmTtM2/k8lkkkqlKysre50I1b5fnR1cyb9z8QOwL/3RZ/4eTU9PszRBQIHVAQB4FIj/lwwAAID9AfYYAAAA/rL7z2MAAAAAHHyPAQAA4C+wxwAAAPAX2GMAAAD4C+wxAAAA/AX2GAAAAP4CewwAAAB/gT0GAACAv8AeAwAAwF9gjwEAAOAvsMcAAADwl38ByewGMnBTjccAAAAASUVORK5CYII=)
HTTP POST data:
![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAOWklEQVR4nO2cfUxbVRvAL6WUppSvrnR8zbVMkeCCyBTJxGVuiVmQEBInfuFAJMgIY2RBA4RgZYYRZGbrFsIf0yBB9I+FTGJwKqKpDcENkNWGYYOs1KZWBgh4h3eseN8/zuvJfe9XLx992cbz++v2nHOfj/Ocpw/3nF4CaJomAAAAAMAPyDbbAAAAAOC+BWoMAAAA4C+gxgAAAAD+AmoMAAAA4C+gxgAAAAD+AmoMAAAA4C+gxgDAvcG1a9eOHj3KajQYDNeuXdsUewCEwWAYHh5++eWX//jjj8225W4EagwA3BsUFhbq9Xpmy88///zPP/88+uijm2QR8N8Q7NmzR6FQVFVVbbY5dyM+aszU1FRoaOiGa11YWDh16hRWEcBgx44dNTU1d+7cWa1MP5m6UZKxkKmpqcjIyE2xAbi3YKbJ7Oys1WqtrKxkDujp6cnJycEfz507t2vXruDg4Mcee+zLL7/E7cwUCwwMNBgMJ0+eXFlZITjZhzh79izqCgwM/OGHH5gamatXPHO5K5a18s+dO2cwGEJCQp588slvv/2W11reLwQhN30q9ekRdyoCAgKuX7+OB3/yyScPP/wwmjpWCCorK/v6+giAC+0LiqJ8jlktDodDrVYzrymKoihqaWnJarVmZGTU1dWtR+bGsiGSsRCHwxEREbEGCf4IBHA3w00T1oD09PSvv/4aXZtMJr1e39fXNz093dXVpdFozGYz816cYqOjo+np6Q0NDawujNfrRV0EQSQkJJAkyTQJr16WWJvNtnfvXpy5XIOZ95pMpoSEhP7+/pmZmYsXL2q1WovFIkWsiJs+lfr0CCkdHx+PiIhA18eOHTty5AgenJKS0t7ezhsC/33/3Ov4rjH+QDx5LBZLUlLSemRuLBsi2eVypaWloYv09PSNsAu4zxFPE7fbHRERsby8jD7Gxsb29/fj3jNnzmRnZwvda7FYkpOTebuY2lUqVVpaWmlpKbORVWOYtwwMDODMFf+6Z1nb1tYmYi1TrIibPpX69Ijb4na71Wq1w+Ggabq3tzchIQEVYNyLQwA1Rgipe2Xo4vTp0waDITIy8tVXX11YWMDt77///vbt2yMjIwsKCv7++2+C89DKfCBdWFjQ6/UkSQYEBHz88cdcpUqlkqIodH379u033ngjNDR0586d77zzDn5KXVlZqamp2b59e0hIyAsvvDA7O4vaz549azAYtm3b9tprryELhYQgC0+dOhUVFRUTE/Phhx+KiF2VZF7i4uKGh4fRxY8//ogav/rqK/H5xwN4AxESEvLiiy/Ozs6+9dZbUVFR27Zte/3112/duoVu+f3335977rnQ0FCDwXD69GneDbqrV68+/fTToaGhcXFxzz///PXr11c7LSxu3LgREhLy008/EQQxOzsbGRn53XffscbcunXrzTffjIqK2rFjx7vvvruysiK0uoQmmWskr9lcRYRA3HkRX9s+dUmMlJAWn2nS09Pz7LPPBgUFocFutzszMxP37tu3b2xsTMg1pVLp9XqFejEymayjo6O9vf2bb77xOZggCIVCsby87HMY19qioqLz58/7FLtaN7ms1qOYmJjCwsLm5maCIJqamqqrqwMDA3EvMwRMfOb1lmIVZ/4kSVqt1oGBgStXrjidztraWtx+5cqVoaGhoaGhkZERFA8RwsPDx8fH0eNwfn4+q3dhYcFoNGZlZaGPDQ0NaAPt8uXLZrO5ra0NtTc3N/f19fX19dnt9tjYWLTOSJIcHR1FFrrd7urqanEhJEmOj4/bbLb29na0cHnFrkFyFAfeqSgsLDx48CCqPSyuXr168ODBwsJC3kCMjo5aLJbR0VG3252UlDQzM2O1WgcHBx0OB45LeXm5QqGYmJjo6+vr6OjgNSA7O7uwsNDpdFoslszMTKVSuapp4bppMBhqa2vRsUF9fX1WVtYzzzzDUlpRUeF2u0dGRi5fvtzT09Pa2koIry6hSeYayW3hVcQ7UiheQmtboi6JkeLVIp4mxP8expAkqVQqmV92YWFhi4uLvEG/efNmXV1dbm4uby+LRx55xGg0FhUVMas+L3/++Wd9fX1xcbFPmVxrg4KCdu7c6VPsqtwUQrpHiOrq6q6urs8//9zhcLDykXUehhHJ662I+GMO8xSBIIjFxUXUbrFYEhIScLvT6UTt3d3djz/+OM15cmQ9kLI2AQiC0P6LQqF45ZVX8IapVqvF12gfGV3rdLqRkRGWqUwLBwYGkIVCQtD4ubk5phCu2DVIpmnaxYF3ekmSbGxs1Gg0eXl5drsdNdrt9ry8PI1G09jYiIWzAjE/P4/aLRaLTCZbWlrCtj344IM0TXu9XqVSOTk5idq7u7u5h0Bzc3NyuZx1zCN9WoTcXF5eTkpKMhqNWq3W4/GwbvF6vWq1GhvW09OTkZEhtLqEJplrJLeFV5GQg7yOiKxtKbokRkpICy26V0aSpFqtxjZwN2omJydZ5xAovzQajVKpLC0tRXFnZZ9Wqy0vL2fJ9Hq9GRkZ6FiCe7yBxcpkskOHDjEjIrRtxeyqqqpCEnDERcSKuymuVIpH3FsQpaWlSqWytbWV2SgSAt683rKsosbw1gyHw6FUKnH72NiYTqcTGc8SS/+7SYoSu729PTo6Gufh3NwcMwE0Gg0SPj8/L5fLmRujIhqFhHCXI6/YNUheLXNzc7m5uXK5HH2Uy+W5ubn4u4llg8+JRR/dbrdCocDtY2NjvD80eOmll1JTU0+cONHS0vL9999z5dPC0yIC+oGNyWTidrEMs9vt0dHRIk7xTjLvVwn3uIKriHekEBLX9hqcoiVkEM1JE6a07u7uAwcO4I8ul4sphKbpiYkJrVaL78Up5na7maFkdiF4vzTtdrtKpbp06RL3eAPfaDab09LSzpw5w2sw02WmtfPz8y6Xa3BwUIpYcTfFlUrxiHsLwmq1og18ZiMrBFzVrLzessj98nC0SmQyWVxcHEEQBQUFLS0tFy5cOHbsGEEQFEXJZLKhoSG5XI5H4ruYG6MiiAvhIlGsuGTu5tjNmzd5hfz666/19fVms7mhoQG1NDQ0tLS0lJWVNTQ07Nq1S6Ixa+PTTz8dHh622Wxut/vEiRN79+4V+o0/77QIuenxeGQymcfjWb+FvJMsZdN/VUiP110Ca5cGbanduXMH7yMtLi6GhYXhATjFuIh0YR566KHGxsaSkpLe3l6he+Pi4kwmU1FR0fHjxwmCUKlUFEWtrKzglUOSpEqlYlkbHh4eHh4+PT2NusTF+nRTRKlEj3gJCwuTy+XBwcHMRqGNMgQ3r7csG/AOJkVRv/32G7q22+0PPPAAQRAajWZpaemvv/5C7S6XS6K0urq65ubm27dvEwQRExOjUqnm5ubi/iUmJoYgiPDwcI1GI/H1ZiEhXFYlVlzyKAdeCUePHk1NTY2Ojrbb7TU1NaixpqbGbrfrdLrU1FTue90S0el0MplsamoKfRwfHxcauWfPnoKCgpqamo8++ujSpUvcASLTwuvmwsJCVVVVV1dXW1sb890CbJhCobhx4wY2jPVeIQvp4VuPIqF48a7tderiIlELZmVl5YsvvmB+wYWHh8fGxlosFtyCfjkm3QafHD9+PDk5uby8XGQMet5F11FRURqNZnBwEPeazeaUlBRs7cDAAO7q7+9HXeJifboponRtHgnBDQET3rzeuog/5kjZKyMI4vDhwy6Xy2azpaamGo1GNCY9Pb24uNjj8djt9szMTObjJ0mScrkc7VRynzGTk5Pb2trQdWlpaUZGBvpDu7m5Gf2on6bpxsbG9PR0q9XqcrnKy8vNZrPI1gSvEN49E65YEd9FzJNIfn4++lkkLw6HIz8/H1+vaq+MpunDhw/n5uY6HA6bzZaSksLdKxsbGzt06BB6R8HpdBYXF2dnZ0ufFiHKysry8vJomn7vvff279/PHVBcXJyTk+N0Om02W1pamslkEneKO8lS9sp4FQmN5EVobUvUJX2vTCiDmGnidDrxNpHZbN69ezfLAPziyMzMzGeffcZ9P0bIR5H3Y7iHH2q1mvf9GIqixsbG9u3bV1ZWhsefP38+MTHRbDajl2A0Gg1+CQa/HzM9Pd3Z2anRaAYGBqSIFXHTp1KfHvFGivdGbggmJibwXeJ5vdXYgBqjVqubmpp0Ol1ERMSRI0fwacrExMSBAwfUanVycrLJZGKFzWg0qlSq9vZ2bvw6Ozv1ej361TlFUZWVlfHx8SqVKisrCx+rer3et99+W6vVKpXK3NzcmZkZkZTmFcKbeFyxIr6LmLfhrKHGeDye7OxstVqt1+ubmpq4NWZ5edloNCYmJioUCp1Ol5+f7/F4pE8LL0NDQ2q1Gp1gUxSl1+s7OjpYY0iSLCkp0Wq18fHxRqPR6/WKO8WdZIk1hqtIaCQvQmtboi7pNUYog2hGmlAUpVQqUb2pqqqqra3lGoy+uBUKRWpqam9vr/jk4C7u353o8IP3rra2NtaZP0an05WUlOAfbiA++OADvV6vUCh2797d3d3NshZ1paWlMV958SlWyE2fSn16hIf5rDHcEFy8eDElJYVrDLDedzClZyywiYyPj6/t9whbmf/P2paupaKiAh0yJyYmDg4O+tkuQAxWCNCfUxcuXNhEk+5a7oozf8DfjI6OJiQkbLYVwLpoaWlBB0W//PLLZtuy1WGFIDg4uLOz86mnntose+5moMbct5w8eTI2NjYnJ2dycrK2tra+vn6zLQLWRVBQ0BNPPLHZVgD8QIERAv63/33L/v37W1tb4+Pj8/PzKyoqCgoKNtsiAAC2HAE0TW+2DQAAAMD9CTzHAAAAAP4CagwAAADgL6DGAAAAAP4CagwAAADgL6DGAAAAAP4CagwAAADgL6DGAAAAAP4CagwAAADgL6DGAAAAAP4CagwAAADgL/4DCA8IJeahTNoAAAAASUVORK5CYII=)
Screenshot:
Mirror: Click here to view the mirror
Coordinated Disclosure Timeline
Vulnerability Reported: |
4 May, 2020 12:21 GMT |
Vulnerability Verified: |
4 May, 2020 12:30 GMT |
Website Operator Notified: |
4 May, 2020 12:30 GMT |
a. Using the ISO 29147 guidelines |
|
— |
— |
b. Using publicly available security contacts |
|
c. Using Open Bug Bounty notification framework |
|
d. Using security contacts provided by the researcher |
|
Public Report Published |
|
[without any technical details]: |
4 May, 2020 12:30 GMT |