Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:
      a. verified the vulnerability and confirmed its existence;
      b. notified the website operator about its existence.
Affected Website: |
circuitoscienciaviva.pt |
Open Bug Bounty Program: |
Create your bounty program now. It’s open and free. |
Vulnerable Application: |
Custom Code |
Vulnerability Type: |
IAC (Improper Access Control) / CWE-284 |
CVSSv3 Score: |
6.5 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N] |
Disclosure Standard: |
Coordinated Disclosure based on ISO 29147 guidelines |
Discovered and Reported by: |
Gh05tPT |
Remediation Guide: |
OWASP Access Control Cheat Sheet |
Export Vulnerability Data: |
Bugzilla Vulnerability Data |
JIRA Vulnerability Data [ Configuration ] |
|
Mantis Vulnerability Data |
|
Splunk Vulnerability Data |
|
XML Vulnerability Data [ XSD ] |
|
Vulnerable URL:
![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAALNUlEQVR4nO2cf0hT3xvHr7py6vVX6fzRJI0aJlEWNiyMIiLKRGapgdkPSKo/KkJKzD/KpFIUoywkgkL/CvpDRCRERsiIEaY2bZgNERtrSZg1udlac+fzx+V7ud177tnN7ebo+7z+2vnxvM9znvNsz3Y2DUMIUQAAAACgAOHL7QAAAADwzwI1BgAAAFAKqDEAAACAUkCNAQAAAJQCagwAAACgFFBjAAAAAKUI3RqTlZU1Ojoq1QQAMaGWJIr6E2qbBQAsIVpj3r596/P5tmzZgm0CgJhQSxJF/Qm1zQKAFH5qzIcPH2JjY7FDLpersbFRqhkgPT09xcXFUs3lghCNAKWCG70g+hmIYNDd4COO2N9JEvknFSx/sCsqJ97Z2blx48aoqKiNGzfev3+fbM4/YpnHHYYjQJ/lOwksA4jI9PQ0TdNyhggzl4Ber+/v75dqLiNut1sJqeBGDwXVz0AEg+4GhzhifydJ5J9UsPzBrqiQ+KNHj7RabW9v7+zs7MDAwPr16xsaGmSay4yM2+12u90TExMJCQnu/xGIz0GfDwSXULwr+/Tpk81m27NnD7a5vERGRoag1F8QX5qgonvkE1JJQinsj3LiDQ0NT548OXTo0OrVq3fv3v3s2bOmpqbv378HcYnIyMjIyEi1Ws09/mtJAiwLsmrMvXv3srKyVq9effz4cZfLRVGUy+XKzMxkGCYsLKyzs5PfvHPnTmxsbEtLS0pKSmJi4smTJ3/8+MHqvH79eteuXbGxsWvWrDly5Mi7d++wy/X09Ozfv3/FihWCZklJSUtLC9s5OjoaGRnJOkNR1NmzZ69cuUKesGHDBrK5wI3FxcWrV6+mpKTExMSUlZV9+fJFfDPQ2NiYnJyclpb2+PFjvyasVWJiIvX753dBMCmK+v79+9mzZ5OTkzMyMm7cuLG4uEiInt9Ff/78efr06djY2LVr116/fn1xcZGd0NrampWVlZiYeOzYMS4UfgVfv369Y8eOqKio5OTksrKyjx8/UhR19OjRW7ducQo7duzo7OzkrLCjUlJ8WAVxLokjJsgZrLJUALH94qCJ1yXkM+cPNk+w4lhPxDtVTtzlcjkcDn7p2rp168DAACGkBGQ+2VkCDAg5W1jEL2Lk+UCw8F9jGIaxWCxms3lwcNDpdNbW1lIUFR8fPzExQdO02+2urKzkN0tKShiGGRwcHBoaGhoaGhkZaW5uZqWKiopOnTplt9tfvnxZUFDAvpcRI/VlTFFRkdFoZDt7e3t9Pl9fXx/bNBqNhYWF5AkGg4FsLnCjubnZaDQajUabzZaenj4+Pi6OzMTEhNVq7ejoKCgokGOCRRBMiqIuXrzodDpHRkb6+vp6enra29sJ0fO7aENDw8LCwtjYWF9fn8lkevjwIev82NgYe6x2u72urk7mxkdGRs6cOTMzM2O1WrVa7fnz5ymKKi8v7+7uZid8+vTJYrEYDAbORGoUKyUOsjiXxBET5AxWWSqA2H5s0ATrEvKZ7484T7DiWE/EO1VOnGEYtVrN1WmW7du3x8TEyDwsPjKf7CwBBoScLZTEixhhPhBMyFdp09PTFEXNz8+zTbPZvG7dOm4I+30Ma2K329n+rq6uvLw8hNDc3JxKpcLevdrt9szMTPYxwzA0Tc/NzYmbTqczOjqaVdDr9dXV1RUVFeyKcXFxHo+HPMFut5PNBV5pNJqRkRFBNPi3zxRFcX7KMWGbCQkJhOghhLxeL03TU1NTbLOnpyc/P58QPb+LJiUlMQzDPrZYLHq9XnCsL1++5I5VjiDH5ORkamoqQmhhYYGNMEKovb29uLiYb4UdlZISrIvNJYFLgpzBKksFUKpfHDTBuoQT4fuDzROsuJSgIPjKicv/3oI7LClzQnC4yewTIUCfBf3YbJF6ESNkFxBEVH6LEE3T3D1Jenr63NycXxO1Wp2RkcE+zs7OttvtFEUlJiaWlpbm5+fv3bs3PT09Ly9v9+7dnKzZbGYf9/f36/V69kJJ0ExLS9PpdGazOScnx+l0Xrt2TafTLS4uGo3Gffv2rVixgjwhIyODbM7fgsvlmpub27x5MzkynJ8yTeTw+fNnj8eTlZXFBXB6eloqen4X/fr16+zsbGZmJtv0+XwqlYr6/Vi1Wi13rH4F37x5U1NTMz4+7vF4fD6fz+ejKCoqKqqwsLC7u/vChQtdXV2nTp3im0iNYqUEYHNJgCBnsMpSAcT2SwWNDyGfBf4I8kRKnCBI2GwQxVUqldfrFa8oFVKpmfL3EpSA8JHKFqkXMTnZBQSI/xoTRJ4+fTo8PGy1Wp1OZ3V19c6dO9kfR0ZERKSlpbFzyL9aLiwsNBqNU1NTRUVF8fHxubm5JpOJf9NFnuDXXEBERMSf7nEJJjKRih55UbfbHR4ePjQ0xL1KhoeHezwe8loEQYPBUFVV9fDhQ7Va7XA4Dhw4wPaXl5c/ePCgsrJycHCwq6tLYIUdlZL6U8Q/5MUqSwVQ3F9XVycOmnhdKUHyD4uxJ0IWJG82WOLsBdSvX7/477eGh4ezs7NjYmL+9LDk7CUoAQFCHfLHHKmrHuwQ9q6su7sb+wnUYrFotVpBp9frTUpK4q6JBE2EkNls1uv1xcXFz58/Rwi1t7dfvHgxNTXV6XTKmeDXnI9Go7FYLFLRwH5gF5vMz8+Hh4fzb6WWdldGiB7ZT4QQTdMyb/D8Cn7+/FmlUvHd4AzdbveqVavu3r17+PBh8SriUYIUf12pXOLExUkiRxmbfvx+cdDEm8IaCvzBzpcSxwoKckM5cYSQVqs1Go1c02q1RkdHMwwjFVKZV23iaAtSLhCf+ZrYbCHcV8t5pQICZOk1hmEYlUpls9kETfbkSktLHQ6H1WrNzc2tr69HCI2Pjx84cODFixezs7N2u72qqqqoqIhTZm9dTSbTpk2buE5Bk0Wj0Wg0Gna+w+GIi4vLzc2VP4E8yr/8vX37tl6vHxsbczgc58+fN5lMfp9RYhOEkF6vr6qqmpmZsdlsBQUF2BojCGZVVVVxcbHdbrdardu2bWtrayNEj+wnQujcuXP5+fnsm8Hm5uaGhgZyjSELajSa9vb2b9++2Ww2g8HAN6yoqIiLi3v27Bk2RIJRghR3ClK5xI+YVJIIlKUCKNUvDppgXSlDgT/YPMGKSwnyc0NRcfT738eYTKacnJybN28SDmt+fl6lUk1MTHi9Xv5j8pMdiVIuEJ/9Zgu5xmCzCwgiS68xCKH6+vro6OiOjg5+s7W1labppqYmjUaTkJBw4sSJhYUFhJDH46mvr9fpdCtXrtRoNJWVlTMzM4JVLl++XFdXx+kLmiwVFRWlpaVcMy8vTzCHPIEwKtis1+utqalJSkpSq9UGg2F2dtZvjRGbIIQmJyf37t1L03ROTk5bWxu2xgiCyTDMmTNnkpKStFptfX291+slRI/sJ0LI7XZfunRJq9VGR0cXFhZOTU2Rj5UsaDKZ8vLy1Gp1ampqdXU137C7u5umafa4xXsUjEpJiYMsziV+xA4ePChOErGyVACl+sVBE6z7+PFjrKEgabF5ghUnHDGXG4qKs82Ojo7s7Gy1Wq3T6dra2siHhRCqra3lzLnHhOU4z/mZs2Sf5WQL+Xc3UtkFBAs/NWYJBPJXtTqd7tWrV1JN4P8NObkUakmiqD+httmQAv7+PzT5q9/5++X9+/eEJgCICbUkUdSfUNssAPglFP+XDAAAAPBvADUGAAAAUIowhNBy+wAAAAD8m8DnGAAAAEApoMYAAAAASgE1BgAAAFAKqDEAAACAUkCNAQAAAJQCagwAAACgFFBjAAAAAKWAGgMAAAAoBdQYAAAAQCmgxgAAAABK8R84l4azYFhtGAAAAABJRU5ErkJggg==)
HTTP POST data:
![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAGvUlEQVR4nO3dS2gTWxgH8NMSzTSZYNImNdaIjUhNQVAhxgeVigvxUUTwsYpaUFyICwkiJQsNcdFiVz7AIiipG8GFSFGQIliqZFHTGDW1qRVpY19IG4mOdVrb5C6GOwzJzHS0Pb297f+3OnNyzne+OZuvc2agBdlslgAAAFBQ+F8nAAAAixZqDAAA0IIaAwAAtKDGAAAALagxAABAC2oMAADQ8gc1xul0vn37ll4qf4RqMgvqTgEA/r+01pj3799nMplNmzZRzUYjqsksqDsFAPhf01pjWlpaDh06RDWVdDpdX18/n8nIrkgveHNzc2VlZVFRUWVl5c2bN9Wn9/f3m0ym/LaKAjmzzFl7kgAAMrLaeDye1tZWjYP/Tl9fH8uy85mM7IqUgt+5c8fhcDx58mR0dLStrW39+vXBYFDjdI07w/M8z/OJRMJsNvP/mk3Ocz4eAJYaTc8xw8PDHz9+3L17N+V6pwnVZOgFDwaD9+7dO3jwYElJSXV19cOHDxsaGn7+/DmHS+j1er1ezzCM2Nbr9XMYHwDgT2mqMS0tLXv37l22bBkh5PXr1zt27CgqKrLZbMeOHRscHBQ6d+3aZTKZVq9efeTIke7ubmGibP/ExMTp06dNJtPatWuvXLkyPT1NCEmn0+Xl5RzHFRQUNDc3q8QUkxEOaurr620226pVq+7evasUXDZa/or0gqfT6YGBAWnp2rJlS1tbmzg9f0tVKO2MrFluiEDYjcbGxpUrV1osllOnTv369Uv89fr1606ns6Sk5MSJE+l0esbxALB0aK0x4iuKaDR69uzZkZGReDzucDjOnz9PCKmpqamtrU0mk69evaqqqhL+lFbqDwaD4+Pj7969e/bsWXt7e1NTEyFkxYoViUSCZVme571er0pMaTIcxyUSiXg8HgqFqqqqlILLRstfkV5wjuMYhhGKtGjr1q1Go1FpS1Uo7YysWW6IiOO4jo6OSCQSiUSi0ei1a9fE/lgsFg6HOzo6hoaG6urq1McDwNIy42kax3Esy6ZSqfyfPn36ZLfbU6mUTqfLP/pX6rdarRzHCe1YLObxeIS29HBfaa40mb6+PkJITmKywZWi5bxOoBdc+3sLYUtVpistJ13XbDbPPuecfkJIMpkULh89euR2u8X+79+/C/3hcHjdunUq4wFgqdHNWIRaW1s9Ho/FYhEu37x5c+nSpQ8fPkxOTmYymUwmY7FYjh49un379j179pSVlbnd7urqakKIbP+3b99GR0fLy8uFaJlMRqeTyUEpZk4yLMuKbUKIUnClaOp3OofBdTrd1NSU0g7nb6nSSO33MicbIsUwzJo1a4S2y+VKJpNCm2VZ8dOysrKyVCqlPh4AlpSZa0zOt7yHDx8+c+ZMU1MTwzADAwP79u0jhDx48KCzszMejw8NDfl8vp07dwrf5ub3+/3+wsLCSCQilpbCQvnzOtmY6h8W8zyvFFwpQ5U7ncPgwgHU79+/pcdlnZ2dLpfLaDTKbqkKLfcyJxsCADBb6o85U1NTVqv18+fPwuXXr191Op34aywWkx7LiJ0OhyM/lNjPsmw0Gs0foHKgJMzNSUZ2vFJw2UykEagGz2azDofj+fPn4mU8HjcYDBzHKW2pxqO2/N3OOSubTc7SmERy9vX48WPxrEw6XlxaaTwALDUzvPMPh8N2u93pdAqXNputuLj49u3b6XS6t7c3EAgQQrq7u/fv3//ixYuxsbEvX77cunVr8+bNKv1er/fcuXNdXV3Dw8ONjY1Xr14VglutVp7ne3t7lebmJCNLNrhSJtIVqQYnhFy+fLm2tvbp06djY2MvX748fvy43+83Go2yW0oIKS4u5nm+p6dnenpa2lZajkbOExMT0lA+n29wcLCrqysQCNTU1Kgs+nfjAWARUi9BFy9e9Pv90p729na3280wjN1u9/l8ZrN5cnIyEAhUVFQsX768tLTU6/WOjIxks1mlfp7nL1y44HA4DAbDgQMHxEeHbDYbCAQMBkMoFJKdm5OM7B/dssGVMpGuSDW4cBkKhVwuF8MwFRUVN27cUNlSob+urk6cLrZVlhMzlz7H/HXO+Q9SDQ0NpaWlZrP55MmT4+Pj+bskfY6RHQ8AS01BNptVqUAbNmy4f//+tm3b5q3mqaCazIK604Wmv79/48aNP378oDQeABarGd759/T0zE8eWlBNZkHdKQDA4oD/HwMAALSgxgAAAC0zvI8BAAD4a3iOAQAAWlBjAACAFtQYAACgBTUGAABoQY0BAABaUGMAAIAW1BgAAKAFNQYAAGhBjQEAAFpQYwAAgJZ/AEnbh5yMEpXdAAAAAElFTkSuQmCC)
Research’s Comment:
![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAHgklEQVR4nO3cX0hTbRwH8Gcz5pxburUzXZulCREREiSiYF5IRYmIUZqUZBCsEC1ZECmUqwhFsQsR66JCu+lOxAvxQopMAv8wT+afMaV05p9SJ6u1jks978V538PYdFvT0+vb+/1cnT1/fud5noG/nfOco4hlWQIAACAA8b89AAAA+GMhxwAAgFCQYwAAQCjIMQAAIBTkGAAAEApyDAAACAU5BgAAhIIcAwAAQgklx0xOTioUii05vVcoh8NRVVUVWqj5+fm8vDylUikSiUQikVarvX79+vLycpCn3rzQAm75MDxtZj0BADZPFNp7/svLy+Hh4VsyAs9Qk5OThw4d+vbtWwhxTp8+vba2Vl9fHxsbSwiZmJgoLi7OyMiorKwM5tRbIrSAWz4M3mbWEwBg80LMMQIJ+W/iz58/ZTLZzMwMRVF8YU9Pj8FgePfu3ZaO8b8EOQYA/l2B75Wtrq6Wl5fHxMRERkbm5eUtLi7yt3e4g6qqKoqitFrt06dP121PfO4ITU5OKpVKr3KHwxEfH+90OkUiUXNz8/fv369cuUJRVFxc3N27d1dXV7lmfX19R48eVSgUOp3uzJkzo6OjhJC5uTmJRMIlmJ6ensTERKVS2d7e/unTp4Cz4CwvL1++fFmhUOzdu7eyspI7Hdemrq4uISFBqVReuHDB4XAEGbCvry8tLS0iIoKiqLy8vOnpaULIuXPnHjx4wLdJS0t7+PAh38u3trm5ed04nrjz1tbWxsTEKJXKoqKiHz9++K5nwC8aAGDLBc4xNTU1nZ2dnZ2dVqt19+7dIyMjnrVOp9NisQwNDTU1NaWnpwds70dUVJTFYpHL5QzDFBYWXrt2bWZmxmw2d3R0tLW1NTY2cs2ys7MvXbpks9m6u7vT09OlUikhZG1tTSz+ey4lJSX5+flWq9VsNq+trQUzC0LIvXv3XC7X4OBgR0dHV1fX48eP+QkODg6+ffu2t7fXZrNVVFQEGdBsNhsMhrm5uaGhIb1eX1JSQgjJz89vbW3lGszOztI0feLECb6Lb21ubu66cbw4nc7e3t7+/v7+/n6z2VxTU+O7nkF+CwAAW4kNRKPRmM1mz5KJiQm5XM4dEELsdrv/9p5d+I/R0dHrlnMfV1ZW5HL5hw8fuPK2trbU1FSWZe12+44dOxiG2Si+y+USi8ULCwssy758+ZI7i/9ZcNRqtdPp5I5pmk5JSeEn+PXrV668u7t73759QQb0ND4+Hhsbyw1v586dNpuNZdnGxsacnBzPXr61G8XxOi8hhOvFsmxLS0tycnLAIQEA/AYBrmMcDofdbk9KStqogVwu5+56Bdk+SF++fHG73QkJCdzHAwcOcH9JlUrl2bNnU1NTb9y4UVdX9/r1a6+OdrtdIpHs2rWLEKLX64Mc1dLS0sLCQnx8PEVRFEVlZmZyp+MmyN/L0uv1drs9yGkODAwcP35cp9NRFJWSksIwDCEkIiIiKyuLu1hpaWnJz8/37LJu7bpxvEil0ri4OH6tbDabn4EBAPw2QT27HBYW9ktBf7X9L3nx4sWTJ0+SkpLcbrfRaCwtLfWs9bxpxt8oCzgqhmHEYnF/fz9N0zRNDw4O0jQdcCT+p5mbm5uRkdHV1UXTdHt7O1/O3RBbWlrq7e3Nycnx6uVbu1EcAIDtL0COiYqKUqlUwT+atVF7lUrlcrn4B5z4rfiNaDQaiUTy8eNH7qPFYomPj+drjxw5UlRUVF5e/uzZM+5Xv1gs5jKKSqViGGZpaYkQwv+cDzgLrVYrk8nsdrvuH1qtNoRp8ubn52dmZm7fvp2YmKjT6bhNI05WVhZN08+fPz927JjvmzFetX7ieGIYZmpqiju2Wq179uzxM3gAgN8m8HVMWVmZwWB4//799PR0aWnpmzdvQmivUCiSk5ONRuPnz5/HxsZu3bq1bl+1Ws0wzNjYWFhYWEFBQVlZ2dTU1PDwsMlkOn/+PCFkdHT01KlTr169WlxcnJqaamhoOHz4MNfR7XYPDAxERkamp6dXV1fPzs42NDQEP4vCwsLi4uLh4eHZ2dna2tr79+9vZlkoilKpVI8ePXI4HGNjYyaTia8KDw8/efLknTt3CgoKfMN61fqJ4/V6qdFonJ6e5tYqOzvbaz39zwUAQCgBd2xWVlZu3rypVqulUmlubu7CwoLnnr/vlrJve658fHw8MzNTLpcfPHiwvr5+3T1/lmVNJpNMJmtqanI6nQaDQa1W6/V6k8m0srLCsqzb7TaZTPv375dIJBqNprCwcG5ujutoNBqvXr3KsuzIyEhSUlJ0dHRFRQW/5+9nFhyGYcrKyvR6vUwmy8rK4h432OhRhWACdnV1JScnS6XS2NhYo9HId2RZtrW1VS6Xu1yudVfAs3ajOJ69uOPq6mqNRhMdHX3x4kW+r+d6BviaAQAEsL3ewdyk1dVVQbeCtie8aAkA29Yf9T8x/4cJBgBgO/ujcgwAAGwryDEAACCUP2o/BgAAthVcxwAAgFCQYwAAQCjIMQAAIBTkGAAAEApyDAAACAU5BgAAhIIcAwAAQkGOAQAAoSDHAACAUJBjAABAKH8B8VDnQprBc9oAAAAASUVORK5CYII=)
Mirror: Click here to view the mirror
Coordinated Disclosure Timeline
Vulnerability Reported: |
15 February, 2020 22:44 GMT |
Vulnerability Verified: |
18 February, 2020 08:40 GMT |
Website Operator Notified: |
18 February, 2020 08:40 GMT |
a. Using the ISO 29147 guidelines |
![](/images/done.png) |
— |
— |
b. Using publicly available security contacts |
![](/images/done.png) |
c. Using Open Bug Bounty notification framework |
![](/images/done.png) |
d. Using security contacts provided by the researcher |
![](/images/done.png) |
Public Report Published |
|
[without any technical details]: |
18 February, 2020 08:40 GMT |
Vulnerability Fixed: |
8 May, 2020 19:59 GMT |
— |
— |