logo
DATABASE RESOURCES PRICING ABOUT US

multimedia.haval.ec Improper Access Control vulnerability OBB-1213475

Description

Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[multimedia.haval.ec](<http://multimedia.haval.ec>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[IAC (Improper Access Control)](<https://www.owasp.org/index.php/Broken_Access_Control>)** / CWE-284 CVSSv3 Score:| 6.5 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **Badalsardhara2 ** Remediation Guide:| **[OWASP Access Control Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Access_Control_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAJeklEQVR4nO3cbUhT7RsA8OOWj07PZk43p2k6GSllVmKWECIhNVTEAmfUwiLxg8wQKSkxC60ExUgY5qdAEdGoIVIS4YdQkZhi8234ljjbS74tp2vNctvz4fA/nM5e3OZm/Xuu36dzn933fd0v4rXdO+pjsVgQAAAAwAsov3sAAAAA/lqQYwAAAHgL5BgAAADeAjkGAACAt0COAQAA4C2QYwAAAHjLH5FjuFzu6OiovSL4Q3hwX2CLAfiP+P05Znx83Gw2Hzt2zGYR/CE8uC+wxQD8d+yQYxQKBZ1Ot/mSTqerra21V3Red3d3Tk6OvaJ7SMMmjs3BjHYfNDg42NUQXh2PB3t2fl8cLD6pK+sR4muIF32sNDY24hVWVlZ8fX37+/tJneCVfX19jx492tnZ6cpcAQAe4/7nmPX19cePH9srOs8bOYaEOLbo6OjV1VXP9k+yByH2nvP7Qpq+9Q+GS1uMoqjxVyKRCH+1o6MDRdH29nZ7rdRqdWVlpUgkevPmjZMRAQAe9JvPyjQazczMTHp6us2il/j5+Xm1/70JsZdc3RcH03dji/1+RaVS8Zfa29vFYnFXV9fPnz9ttmKxWPn5+Q8fPmxqanI+IgDAU5zKMY2NjVwuNyQk5OrVqzqdDkEQnU4XExOj1+t9fHxaWlqIxSdPntDp9Pr6+rCwsODg4IKCgu/fv9vrubu7+9y5c76+vqQidorS0NDA5XIDAwPz8/PX1tZu377NYrFCQkKuX7/+7ds3xOqwhXTSgiENldjEySgIgmxtbd24cYNOp0dHR9+/f99kMmH3VSrV+fPn6XR6XFwc/m6aGGJoaCg1NZVGo7FYrLy8PJVK5eQK22ubn5//6NEjvGFqampLS4uTUXD2pmMyme7evRsWFhYYGJiXl7e2tmZzm3AajSYrK4tOp3O53IaGBuujQtLiO+jKDZ8+fVIqlVeuXElKSurp6XFQMyUlZWJiYvcRAQCu2jnH6PV6mUw2ODgolUrVavWdO3cQBAkKCpqamsJOJIRCIbF44cIFvV4vlUqHh4eHh4dHRkbq6ursde7goAyLOzAwIJPJ1Gp1fHz86urq2NjYhw8fFhYWKioqnJwhaag2Z7djlOrqaoPBMDY29vbt276+vubmZuy+SCRiMBhyubynp8f6xAZBkJGRkaKioi9fvkxMTERGRhLPeRyvsL22AoGgq6sLq6DRaGQyWW5urjNRiOxNp66urre3t7e3d2ZmJiIiQi6XY/ftnW6JRKJ//vlnbm6ut7e3tbXVuoL14nvwLLStre3y5csIggiFQpuLj2MymRsbGx4JCgBwjcWhhYUFBEE2Njaw4uDgYGxsLP4SiqLEmlgRa7K4uIjdl0gkycnJ2PXi4mJMTAzeRK/Xoyiq1Wqti1gn6+vr2EsDAwMUCsVgMODD4PF4Nsewf/9+B2OzvnYmisViCQ0N1ev12LVMJktJSbFYLNvb2/7+/sSZ2oyOm5ub43A4zq+wzbYGg4HBYGBBm5qacnJy7NW0Nwx707FYLGw2e2RkhFSZtE04bPrz8/OOp08skrrC5h5KwGQysU7sVRCJRPirhw4dmpiYwNaEzWbja2g9cfwHAwCwx/btmIRQFMWPPiIiIrRa7Y5N/P39o6KisOv4+PjFxUW8+eDgIF7t3bt3KSkp+OkWqYiiaFBQEHYdGRnJYDBoNBrej6e+VHcmytevX1dXV2NiYrD7ZrN53759CIIsLy8jCEKcqXX/Hz9+LC8vl8vlP378MJvNZrPZ5hhsrrDNtjQaLTMzs6urq6SkRCKRXLt2zckoOHvT0el0Wq02MTGRVJ+0L7jl5WWz2czlch1Mf8euAgICZDIZXlQqlXw+n9iEVCEgIAC7GBoaQlH0yJEjCILQaDQ+ny+RSAoKCnYcAwBgL+2cYzyISqWGh4fjxT14oswjjEYjhUIZHh7GfhcjCEKhOPusRG5ubmFhYXNzs7+/v/UvUPfaCgQCsVgsFAqlUqlEInE1iuPpEL9Rx3hwX6y7olAoBw4cwIvb29ukJqQKuLa2NrlczmKxsCL2CJm9HKPVahkMxq6GDgBwi1dyjNFo/Pz5M/YGf2Zm5uDBg9Z1TCbT69evq6qqbBadxGQyDQbD5uYm9jlAqVTueuw2hIeHBwQEaLXaEydOEO+z2WwEQYgzJTVcWVlRq9X37t3Dii599nLQNjMzs7CwsLW1NSMjg06nuxrF3nSCgoKYTObo6CjxryMd7AubzaZQKAqFIjo6GkGQqakpx3Hd22J7Xb148aKvry8iIgK7YzabExMTNRoN8U0MTiqVJiQk7D4uAMBV7j+7HBoaajQaZ2dnbRbLyspUKtXk5OSDBw+ys7PxVltbW9jF4OAgh8PBT1pIRSfR6fTk5OSysrKlpaXZ2Vn823Imk2k0Gqenp7Enpkhjc4NQKCwuLp6cnNRoNPX19TU1NQiCUKlUPp9PnCmpFYvFYjKZz5490+l0s7OzxAr4OtjjoK2fnx+fz6+qqrp06ZKDmqRFIEa0OR0EQUpLS4uKisbHx1UqVUlJSX9/v/W+4P1QqdTs7OzS0lKFQmFz+hh88d3bYiwikclk6u3tZTKZJ0+ePPA/UVFRGRkZHR0dpFZra2udnZ2VlZXFxcWuxgUA7J77OSYwMLCysvL48ePYM6l48dWrVyiKJicnJyUlnTlzJjExsby8HGuiUChCQ0Oxa08dlLW3t8/Pz/N4vNzcXIFAgN2k0+m3bt1KSkpqa2uzHqobnj59evr0aT6fz+Px3r9/jz+fJhaLNzY24uPjL168aP3QGoIgL1++fP78OYfDSUtLi42NxW4S18EBm20xAoHAbDbjydtmTeIikCLam055eXl6evrZs2d5PJ5SqTx8+DBpX0j9iMXi7e3thISE7Oxs7BEva/ji19bWurHFer3e/1disbi9vZ34xgWTmZmJbTexFYfDqa6uFovFWVlZroYGAOyej8Vi8WyPCoUiISFhc3PTcbW4uLjW1tZTp07ZLII/hPP7Mj09nZaWtrS0tPuuAAB/jT39zp9oenraQRH8IZzfF5lMRvqw5XZXAIC/xm/LMeAvUFNTExERkZOTMz8/X1FR4ZHv8wEAf5Pf/7/9wf+v9PT0pqamyMhIoVB48+ZN+PMUAACJ57+PAQAAADDwOQYAAIC3QI4BAADgLZBjAAAAeAvkGAAAAN4COQYAAIC3QI4BAADgLZBjAAAAeAvkGAAAAN4COQYAAIC3QI4BAADgLf8CRHTqcm+hWHMAAAAASUVORK5CYII=) --- **Mirror:** [Click here to view the mirror](<http://1213475.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 2 July, 2020 12:29 GMT ---|--- Vulnerability Verified:| 3 July, 2020 08:14 GMT Website Operator Notified:| 3 July, 2020 08:14 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 3 July, 2020 08:14 GMT Vulnerability Fixed:| 3 July, 2020 08:22 GMT ---|---