Stored XSS on Delijn.be

De Lijn is a Flemish transport company which is dutch for “The Line”. This company is being operated by the Belgian Flemish government.
They’ve got a selection of transportation ways:

  • busses
  • trams
  • coast trams
  • and a bus on call / bus on demand.

The XSS-itself:
You could insert a malicious script as your name, this wasn’t filtered by the system which was very odd. If the page will be loaded the XSS will be activated and then the information box will appear.

Video:

Extra info:
*Authentication Required


Update: 25 August

Got a positive response of the IT team with the notice that they’ll fix this.

Researcher Triponoid: