logo
DATABASE RESOURCES PRICING ABOUT US

cloudwards.net Improper Access Control vulnerability OBB-1214256

Description

Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[cloudwards.net](<https://www.cloudwards.net>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[IAC (Improper Access Control)](<https://www.owasp.org/index.php/Broken_Access_Control>)** / CWE-284 CVSSv3 Score:| 6.5 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **singhnitesh21 ** Remediation Guide:| **[OWASP Access Control Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Access_Control_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAKgElEQVR4nO2ce0hT/xvHTzZr6ZmX3OaliRq1QqIkxtAwuiAVY4xZVmBmQUP7w6SkoiRqSRexC92Q/iio/jDoD1kjRGJEjBixzNZay4ZIHdaSWitl2Vpz5/fHBw6Hc5uXTef397z+2uezz+f5PM/zfubj+cyaR5IkBgAAAAAJIGW2HQAAAAD+s0CPAQAAABIF9BgAAAAgUUCPAQAAABIF9BgAAAAgUUCPAQAAABJF8vaYkpKSt2/f8g2B5GQOyRQXV6djZA7lCgCmTJL2mHfv3kWj0TVr1nAOgeRkDskUF1enY2QO5QoApkOMHvP582eJRML51sjIyMWLF/mG08RsNut0Or7hbCGQjSmYys7OjoupWTmCU+5EyBTHnNOJi6vCRr5//75nz56cnJwlS5YcOXLk79+/cXcAAJKfqT/H/Pr168KFC3zDaZKcPQag4JQ7ETIVFRX5/f742sRmpMfU19eLxWKXy2W1Wp1O56lTp+LuAAAkP6LZdoCDr1+/ejyejRs3cg6B5CRxMi1cuDC+BuPiqrCR379/P3/+3O/3p6enYxjW3t5eW1t76dKlODoAAHOCCT3HXL9+vaSkJCcnZ+/evSMjIxiGjYyMFBcXB4PBefPm3b9/nz68evWqRCK5dOlSbm5udnb2vn37/vz5g+y8evVq/fr1EolkyZIlO3bs+PDhA+dxZrN5y5YtqampjGF1dTX1KX379u3ChQuRMxiGNTY2Hjt2THjB8uXLhbcz3BgfHz958mRubm56evrOnTt//PjBWPD79+/GxkaZTFZYWHj27Nnx8XGMdbdDv7D68uXL1q1bJRLJihUrurq60GTMoFDeKioqFi1aJJPJdu7c+eXLF3TKxYsXZTJZfn7+3bt3BY6ImXlk7cqVKyUlJdnZ2Xv27KF8+Pv374EDByQSSVFR0ZkzZ1CMDPUnJVNjYyNfeXBC5ZMvBLYKAuHE0VXKyO7du8+fP0/NV1RU3L9/Pz09/c+fP6jBYBgWDocXLFjA3itQLXzxshXhLIYJftYAINHE7jHBYNDhcNhsNrvd7vP5Tpw4gWFYZmbmwMAAjuOhUKiuro4+rK6uDgaDdru9r6+vr6+vv7+/o6MDmdJqtfv37ycI4sWLF5WVlWKxmPNEvosyrVZrsVjQ5JMnT6LRaG9vLxpaLBaNRiO8QK/XC29nuNHR0WGxWCwWi8fjKSgocLvdjAXNzc0+n6+/v7+3t9dsNnd2dgpnsqmpKSMjw+129/T0UA0gZlAYhvX39zc0NAwPD7tcLoVC0dTUhHQZGBhwuVz37t2rrKwUOAKbQOaDwaDT6UQqEwTR2tqK5tva2sbGxpxOZ29vr9VqvX37NsZSf1Iybdq0ia88hOELgVMFvnDi6CplZNeuXSaTCU1+/frV4XDo9XqG8+fOnauvr2fvnUK8nIqwi2GCnzUASDikIJ8+fcIwbHR0FA1tNtvSpUupt3Acp69EQ7SFIAg0393drVKpSJIMBAIikSgUCrFPIQiiuLgYvQ4GgziOBwIB9tDn86WlpSELarW6paWltrYWnZiRkREOh4UXEAQhvJ3hlVwu7+/vZ2SDCjkSieA4PjQ0hIZms7m8vJwzLVlZWWi9WCympwXNxwyK4dXg4GBeXh5KMpUlyiXOIwQyTzlJV/nFixeUylKpNBgMotcOh0OtVrNTMSmZBgcHOctDwDdkmTMEThUEwomXq3QjY2NjqLpIkuzs7NTpdAwnjUZjVVVVJBJh7+WrFgHJ2IqwiyGm4gAwY8T+PgbHcepxvqCgIBAIxNwiFosLCwvR65UrVxIEgWFYdnZ2TU1NeXn55s2bCwoKVCrVhg0bKLM2mw29fvr0qVqtpm4M6MP8/HylUmmz2UpLS30+3+nTp5VK5fj4uMViqaqqSk1NFV5QWFgovJ0ewsjISCAQWL16NV+M3759C4fDJSUlVJjooy6wHsMwelrQi5hBYRj25s2b48ePu93ucDgcjUaj0SjShfFnY3xHCGSegq6yQqFAKv/8+dPv9xcXF6P5aDQqEnEXzMRlEolEnOWBYZhMJqMMfv/+nW6fLwQ+FTjDiaOrdCOLFi3SaDQmk+nQoUPd3d379++ne/748eMHDx7Y7fb58+ez9/LBFy+fIoximIjiADAzzOh3/g8fPnz9+rXL5fL5fC0tLevWrbt58yaGYfPnz8/Pz0drhP+iTKPRWCyWoaEhrVabmZlZVlZmtVrpN13CC2JuZ0D9XEgoMb3S6/UGg+H27dtisdjr9W7btm2yR/BlXphQKJSSktLX10e1lpQU7svVycrEicPhiHsICXKVYWTXrl23bt2qq6uz2+3d3d3U/Pv37w8ePNjb25uTk8O3lw/OeDkVCYfDE9we81AAiD/Cjzl8z/Kcb3HelZlMJs7LEIfDoVAoGJORSEQqlVJXH4whSZI2m02tVut0up6eHpIkOzs7m5ub8/LyfD7fRBbE3E5HLpc7HA6+bPDdlY2OjqakpNAvajjvykwmE5VJYa++ffsmEonoecvKymIkn3KJ7wjhzAuojOM448KQMxUTl2mC5cHnGyMEvrsyvnDi4irbSCgUWrx48bVr17Zv305NBgKBZcuWdXV10T1n7OWrFr54SS5FOFPEtx0AZpip95hgMCgSiTweD2OIPpk1NTVer9flcpWVlRmNRpIk3W73tm3bnj175vf7CYIwGAxarZayjO6OrVbrqlWrqEnGECGXy+VyOVrv9XozMjLKysomvkD4XfoV9oULF9RqtdPp9Hq9TU1NVqt1dHRUJBINDAygu3WDwaDT6QiCcLlca9euvXHjBtqoVqsNBsPw8LDH46msrKQyptfr6Wmh/zSJ6XNnZ+evX788Ho9er+frMXxH8GWeClZA5YMHD5aXl6Nfhzs6Otra2tjqT0omvvLgA/kmUDxsFQTCiYurnEZqa2szMjIePXqEhpFIpKqqqrm5OUSDcy9ntQjEy1aEXQzCnzUAmEmm3mNIkjQajWlpaffu3aMPr1y5guN4e3u7XC7Pysqqr68fGxsjSTIcDhuNRqVSuWDBArlcXldXNzw8zDjl6NGjra2tlH3GEFFbW1tTU0MNVSoVY43wAoF3GcFGIpHjx49LpVKxWKzX6/1+P0mSJ06coEIOBoMNDQ1SqVShUBiNRupL3cHBwc2bN+M4XlpaeuPGDSpjXq93y5YtOI4rlcrLly/TMynss9VqValUYrE4Ly+vpaVFoMdwHsGZeboFAZVDodDhw4cVCkVaWppGo6H/8k6pPymZ0Fns8uADrRcoHrYKAuHExVVOIyaTCcdxKhb2l3PIB/ZezmoRiJetCLsYBLYDwAwTo8dMgZhP7gIolcqXL1/yDYHkZFIyTbY8plNObOLi6nTKEkoa+H8juf6d/8ePHwWGQHIyh2SKi6vTMTKHcgUAcSFJ/99lAMAw7N+/fzabTaFQzLYjAABMkeR6jgEAOg0NDWaz+c6dO7PtCAAAU2QeSZKz7QMAAADw3wTuygAAAIBEAT0GAAAASBTQYwAAAIBEAT0GAAAASBTQYwAAAIBEAT0GAAAASBTQYwAAAIBEAT0GAAAASBTQYwAAAIBEAT0GAAAASBT/AzAdX6Eph8AUAAAAAElFTkSuQmCC) --- Research's Comment: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAHI0lEQVR4nO3bX0hT7x8H8Mc5ctqZc7XZtIkasUS68GIMDSOQKJMhSUZh0h8KhRCRgRFe1CrIyOyiwrwJvKq7EAnZxSAQGaK2lsw/MJFtumUyl7Npa8yd78X5/vY7uHPOJj/Ob1Tv19XOs/N5nvfOAT87j5pF0zQBAAAQgSTTAQAA4I+FHgMAAGJBjwEAALGgxwAAgFjQYwAAQCzoMQAAIBb0GAAAEAt6DAAAiCUzPcbj8SiVyowsDQJCoVBvby8hxOPxyOXyTMcBgN8enmPgvzY2Nh4/fkwIKS0tDQQCmY4DAL899BjglpOTk+kIAPDbS9Fjmpqa+vr6mNdfvnzJyckJhULMYXt7e3d399bWVnt7u1qtLikpefDgwc7ODvnPTktvb69arS4qKnrz5g0hxOfznT17Vi6XHzt27O3bt8wkzJl9fX2HDh1SKpXXrl37+fMn3wy/fv26efOmXC4vLS29f/8+sxYhZGpq6uTJk3K5/PDhwxcuXJifn+cbTNi1F8Teu+MrTF6dMyQbX0l/f395eblSqbxy5UrievJFYpfs37//0qVL6+vr3d3darX64MGDN27c2Nra4luO70pOTU3V1NTk5uaq1eqLFy/6fD5CSCgUKisrC4fDWVlZz58/Z4cRuMucnwUAgJGixxiNRqvVyrz+8OFDPB63WCzModVqbWho6Ozs9Pv9drvdYrGMjIwMDAww74bD4YWFBafTOTQ0VFtbSwjp6OjIz8+fm5sbHR1N9BjmzMnJyenp6enpabvd/vTpU74ZHj58uL29PTMzY7FYxsbGBgcHEyGvX7/u9XrHx8dra2tlMhnfYDr4CjlXTw7JxlcyMzNjs9kmJye9Xm9PT0/KSOFw2OFwjI+POxwOv99fUVERCARmZmYmJibcbndiBr7rkxzSbre3tbWtrq46nU6tVtvR0UEIUSgUCwsLFEVFIpGmpiZ2AIG7vNfPAgB/F1qQ3+/Py8uLRCI0TRsMBpPJ1NLSQtO02+3Oz8+PRCIURS0tLTEnj4yMVFdXM+8SQoLBYGKeWCwmk8m8Xi9z+P79+4KCgsSZ7HG9Xs85A03TKpUqHA4zrx0Oh8FgoGk6GAxKpVImYQLnIJvb7aYoin3I5BEoTF6dM2Q6JZubm8zg+Pj4kSNHhCMxJRsbG4kSiUSyvb3NHNpstqNHjwpcn5QhFxcXNRrNrgzsMLFYTOAuc34WAACGVLgDFRUV6XQ6m81WWVnp9/vv3bun0+l2dnasVuvp06eDwWA0Gi0vL2dOrqioYH7uEEIoimL/5dja2hohpKSkJHFm4i2ZTMYe93q9nDN8//49EAiUlZUxh/F4XCqVEkKUSmVzc3N1dXVdXV1xcbFerz916hTnYDodl6+Qb/VdIdkEShLbUFqtNhgMpkxFUZRCoUiU5Ofn5+bmMofFxcXML+f5luMM+fnz5zt37szNzUWj0Xg8Ho/HBVZfW1sTuMt7/SwA8FdJ0WMIIQ0NDVardWlpyWg0KhSKqqqqsbExZqPs/5AvIRKJSCSS6enpxI9OieTfjb537959+vTJ6XT6/X6TyXTixImXL19yDqazEGch5+rRaHSvgYVL/hcC1yfZ+fPnb926NTg4KJPJVlZW6uvrRUoFAH+7lE86NpvNYDA0NjaOjo7SND0wMNDZ2anRaPx+v8AuCnvbh07aKxseHubcKxseHk7sle2agaZpiqLsdrtwWofDodVqUw5ubm5KJBL2Pg+TR6AweXXOkMKB+TbEBCIJlOw65Lw+ySHX1takUin7MyZm2OtemUAwAACaplP/7XJNTY3b7Z6YmKirqyOENDY2Dg0NaTSaoqKi7Ozsy5cvd3V1LS8vz87Oms3mlpYWzkmys7Pr6+tNJpPP52POZL/LHjcajXxJWltbb9++PTs7+/Xr176+vkePHhFC5ufnz5079/Hjx/X19eXl5VevXlVVVXEOsqeSy+V6vd5kMn379s3lct29e5cZFyjkXF3Ynkr4IqUvzeXUavWBAwdev34dCoVcLhf7XqhUqkgk4nK52Oenf5cBAHZLpxG1tLQ0NzcnDvV6fU9PD/M6HA63tbWpVCqtVms2m2OxGM3zBX9lZeXMmTMURel0umfPnrG/pD958qSwsLCgoODq1avMb7M5Z4hEIl1dXVqtNi8vr6GhgflmHY1GzWazTqfbt29fYWFha2vr6uoq5+Cu2RYXF+vq6iiKqqysfPHiBZNHoDB59ZTPMSlLdn3354yU/nMM5/XhDDk2NqbX62UymUajMZlM7AnNZnNeXl5/fz+7Kp27jOcYAEiWRdN0Bjucx+M5fvz4jx8/MpgBAABEgv/zBwAAsaDHAACAWNBjAABALBn+fQwAAPzB8BwDAABiQY8BAACxoMcAAIBY0GMAAEAs6DEAACAW9BgAABALegwAAIgFPQYAAMSCHgMAAGJBjwEAALH8A9ryig0fQpkjAAAAAElFTkSuQmCC) --- **Mirror:** [Click here to view the mirror](<http://1214256.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 2 July, 2020 20:18 GMT ---|--- Vulnerability Verified:| 3 July, 2020 09:04 GMT Website Operator Notified:| 3 July, 2020 09:04 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 3 July, 2020 09:04 GMT Vulnerability Fixed:| 3 July, 2020 09:10 GMT ---|---