Reflected XSS

Disclosed by

Engagement Undisclosed
Disclosed date 9 Sep 2022 over 2 years ago
Priority P3 Bugcrowd's VRT priority rating
Status Resolved This vulnerability has been accepted and fixed

Summary by mewtw0

It is encountered in cases where any input from the user is printed directly on the screen. Since the code received from the user as input is not written to the database, it is presented to the user only once by the internet browser (think of clicking on a link address (URL) sent to you via e-mail or chat program).

Output encoding is the only ultimate solution. The purpose of output encoding is to convert untrusted input into a secure format where it is displayed as data to the user without running it as code or simple words in the browser.

Such vulnerabilities occur due to insufficient filtering of the inputs received by the user. For this reason, any input received by the user must be filtered. You can benefit from additional references in the "Additional Information" field.

Activity

shoko_sakai Customer changed the state to Resolved
7 months ago(13 Sep 2024 04:45:43 UTC)
Akitsugu_Ito Customer published the disclosure report
3 years ago(09 Sep 2022 01:06:44 UTC)
ace_bugcrowd sent a message
3 years ago(13 Oct 2021 17:19:43 UTC)
ace_bugcrowd marked the submission a duplicate of a previously submitted report
3 years ago(13 Oct 2021 17:19:32 UTC)
ace_bugcrowd changed the state to Unresolved
3 years ago(13 Oct 2021 17:19:32 UTC)
ace_bugcrowd updated the submission
3 years ago(13 Oct 2021 17:19:31 UTC)
ace_bugcrowd updated VRT to Cross-Site Scripting (XSS) > Reflected > Non-Self
3 years ago(13 Oct 2021 17:19:31 UTC)
mewtw0 requested disclosure
3 years ago(13 Oct 2021 13:02:33 UTC)
Akitsugu_Ito Customer resolved a blocker for Bugcrowd Operations by responding to comments
3 years ago(13 Oct 2021 04:49:32 UTC)
ace_bugcrowd created a blocker on Rakuten Group, Inc. to respond to comments
3 years ago(08 Oct 2021 17:50:27 UTC)
mewtw0 created the submission
3 years ago(08 Oct 2021 13:37:59 UTC)