logo
DATABASE RESOURCES PRICING ABOUT US

thimpress.com Improper Access Control vulnerability OBB-1214931

Description

Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[thimpress.com](<https://thimpress.com>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[IAC (Improper Access Control)](<https://www.owasp.org/index.php/Broken_Access_Control>)** / CWE-284 CVSSv3 Score:| 6.5 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **kun-fly ** Remediation Guide:| **[OWASP Access Control Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Access_Control_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAANj0lEQVR4nO2cf0hb1/vHb9PURXOjpvnhr3RNSslEpJMhwQ3HbJEuc0FSZjdmbbsfUstw0oot1g6XOWnF1sJckTLY6Pyj21/DyShSwgZBpDhn0yxzmQSXhvQu2GjVxTZmMffzx/lyyffec29u1fijfV5/3XNynnPez3Me7+M9N7qNpmkCAAAAAFKAZKMFAAAAAE8tUGMAAACAVAE1BgAAAEgVUGMAAACAVAE1BgAAAEgVUGMAAACAVLF5a4zBYLh79y5fExDDMxW0LeTsekpdzVpbKKTApmWT1pjff/89Ho+/+OKL2CYghmcqaFvI2fWUupq1tlBIgc1Mkhpz7949hUKB/Wh+fv7ixYt8zVUyODhYXV3NbSauwqdNQPMzBSuGm4pVZgvXfMXOrlW23Lt3T6lUihnJSH3w4MGRI0dUKlVBQcHp06eXlpbQgJmZmaNHj2o0moKCgnPnzv3333+of2lp6d1338Wq/ffff/Py8v766y++tbDmfAK4tpuQ06dPp6enX7ly5Ym2T0zire2tDCBoQXw+H0mSYj4SGLkCTCbTrVu3uM3EVQRWjEQia6Vk68KK4aZildnCNV+xs2uVtz6fLzs7W8xIRqrZbP7ggw8oivJ6vQcOHGhpaUEDqqqqamtrA4GAx+MpKyv75JNPaJqORCIVFRU1NTVYtZ2dnYw5di2sOZ8Alu0mJBQKSSQSp9MZi8We6IddzHav7a0M2Iw1hqKo7OzsaDTKbYqsMQArhpuNta0xq3F2nWsMIzUcDstksnA4jPpHR0f37t1L03Q4HJZIJHNzc6h/eHjYaDSi+Ts7O7FqFxYWiouLFxYW+NbCmvMJ4NpuQla8a1Bj1h9R72O++OILg8GgUqmOHj06Pz9PEMT8/Lxerw+Hw9u2bfv2228Tm+jp9dKlSzk5OUql8vjx448fP0bz/Prrr6+++qpCoSgoKHjrrbf+/PNP7HKDg4MHDx7csWMHq8lalE9b4ukHuu7p6TEYDHK5/J133pmZmTlz5oxGo1GpVO+///7i4iIzjKsZ9V+8eFGj0eTl5X399dcEQSwtLX344YcKhWL37t2ffvrp8vKygHdJXV5eXj537lxOTo5cLj98+PDMzAzqX1xcbGho0Gg0u3bt+uyzz5aXl0X6wo3hoUOHLl26hPrv3r373HPPoUARBNHQ0NDQ0MC3X1iwgrlqWcFXKpVHjhzBJg82pHy2WPNEZ1lnX8wRFt8Ws8A6gvbx5ZdfTk9P12g0hw8fvn//PkEQ9+/ff/311xUKxQsvvHDjxg1mEoFNZ6TK5fLHjx/L5XLUH41G09LSCIIIhUIZGRlZWVmoX6fTTU9PEwSxe/fu8+fPY3fk6tWrLS0t3COjxLBwzfkEsGyFk+fMmTMiA4tYWbazEmBmZoZ1t2Hm/+eff958802FQmEwGHp6elinl6zM+fvvv+Vy+Z07d9CcSqXyl19+wd5kgNWQvMaEw2Gn0zkyMjI6OkpRVGtrK0EQWVlZHo+HJMlIJFJXV5fYPHToUDgcHh0dHRsbGxsbGx8f7+7uRlNZLJb33nvP7/cPDw+Xl5fLZDLsinwvY1iL8mnD6h8eHnY6nRRFFRYWhkIhl8t1+/Ztn8/X1tbGDMNqDofDHo/H7XZfv369vLycIIiOjo5Hjx65XK6hoSGHw3Ht2jUB75K63N3dbbfb7Xb75ORkfn7+xMQE6m9qaqIoanx8fGhoaHBwsK+vT7wvrBhaLBa73Y6uf/rpp3g8PjQ0hJp2u33//v18vmPBCsaqRYJdLhfaIL/fjxRy9xEbUqwt1lzkmwMxbvI5Mj4+fuLEiWAw6Ha7dTpdY2MjQRCNjY2ZmZkTExM3b95MrDECm84ntbOz89ixY0ld4LK4uHjlypWOjo6CgoLz588zRVFgLSwsAYytcPJUVVUR4gKLeNJsxyaASqVKvNskzt/Y2JiWlub1eu12e39/P2t1VuYYDIa2trZTp04RBNHe3l5VVbV//35udgGrRfgxx+fzEQTBPIaPjIzs2bOH+Qh7VoZM/H4/6v/hhx9KS0tpmp6dnZVKpdjDU7/fr9fr0XU4HCZJcnZ2FttknZVhtXHHJJ48SCSSR48eMSbofIBPM+pnVkeo1WrmhMHpdJpMJj7vBFxm0Gq14+PjrM5YLEaS5NTUFGoODg6WlZWJ9IUbNIqiMjIykAyTydTc3FxbW4u8y8zM9Hq9WN/FC8aqpTkbNDw8zJc83JAK2LLMBTKETjjCEthiZjyfIyy8Xm9ubm4sFpPJZIkTooUENp0llcFms1VWVsZiMQH9WO9omr58+bLVag2FQl6vt7i4uLe3V2AtvlOgRAEsW+HkiUajfIHF8qTZnjQBWNsnk8mYeZgdEYhANBotLCy02WxqtToYDApHCVgZ0qRFiCRJ5mk0Pz9/dnY2qYlMJtu1axe6Liws9Pv9BEEolcqampqysrIDBw7k5+eXlpa+9tprzLQjIyPo+tatWyaTiXnIZTVXoI0kycSTh8zMzPT0dMYkFAoJaEbmias/fPgwFArp9XrUjMfjUqmUzzsBlxHz8/Ozs7P79u1jaZ6eno5GowaDgdGDfuRE+sIKWl5entFoHBkZKSoqoiiqvb3daDQuLy/b7fbKykqpVMrnu0ajYSQ9ePCATzCfWuL/b5BOp8NuEF9IxdhynRWAz00xjty5c+fs2bMTExPRaDQej8fjcXSElTghuhDYdKzUH3/8sb+/f3R0dPv27Uld4PLVV1/Z7XaVSqVSqS5cuNDR0fHxxx/zrYWFKyDRVjh50EGcyPxZQbaLSYDEeeLxeOI8SX3fsWPH1atXKysre3t7c3Jyko4HVkDyGrOGfPfdd7/99pvb7aYoqrm5+ZVXXvnyyy8Jgti+fXteXh4aw3dQtkmIRCISiWRsbAzdBwmCkEj+77wR6x2fy4ms7OYiADdoVVVVdrt9amrKYrFkZWWVlJQ4HA7mrIMPp9OJ7V9bwdiQRqNRkebrkyFWq7W+vv7atWsymSwQCJjNZoHBfJvOlfrHH3+cPHlyaGhIpVKtQNXDhw+npqaY+7vRaKQoCl2LDAtWAMt2ZclD8OTPmmf7KgkGgxKJJBgMbrSQpxfhxxyBJ3eRZ2UDAwPYZ2en06nT6VidsVhMrVYzT7usJs05B+M7FUk6hmuC1Yx9aiZJkvu8L8Y7bKdWq3U6ndw4YE8PxPjCDRpN0yMjIyaTqbq6+ubNmzRN9/X1NTU15ebmUhQlcr8EBAuclYlMHm5IRR4ZcZ1dWFiQSCSJZyzit5jPkenpaalUyizhdDqzs7NZZ2UDAwPY75Uxm86VOjs7u3fv3hs3biSO5/teGTYsqDwzcw4MDCDB2BzgmmMFcG0FkkcgsFjWMNv5zsp8Ph9qijkrm5uby83N/f7773fu3DkxMYEdA6ySldeYcDgslUonJydZTZRzNTU1gUDA7XaXlJTYbDaapicmJsxm888//xwKhfx+f319vcViYWZGB74Oh6O4uJjpZDVZi655jeFqxmbbyZMny8rK0G+p3d3dHR0dfN7xuZx4WH/hwgWTyeRyuQKBQGNjo8PhQP319fXV1dV+v9/tdr/00ku9vb0ifeEGDaHVarVaLVo6EAhkZmaWlJQI+M4HVjBXrXDwWcnDDamws4w51lmTyVRfXx8MBicnJ8vLy4W3eGFhQSqVejwe9DYC6wiKXl9f39zc3OTkpNVqRXNardbECVEn36azpMZiscrKyqampkgC6COz2VxXV0dRFNKP/j6GiQMrIa1Wq9ls9vl8LperqKjom2++EcgB1h0ZKwBry5c8AoHFsobZzq0xNE3X1NRYrVafz+d2u/ft28eYMLFlJd5HH3309ttv0zTd2dlZUVGBHQOskpXXGJqmbTZbRkbG9evXE5s9PT0kSXZ1dWm12uzs7GPHjqH30tFo1GazGY3GtLQ0rVZbV1fHfcnW0tLS1tbGzM9qshZd2xqD1YytMZFI5NSpUzqdLiMjo6qqCv3+hfUO28maMxaLnT17Vq1Wy2Qy9PIW9YfD4RMnTqjVap1OZ7PZYrGYSF+wQaNpura2tqamhmmWlpaiYXy+84EVzFWbNPiJycMNqbAtY/7GG29wnUV/UUiSZFFRUW9vr/AW0zTd2trKKME6QtO0w+EoLS2VyWS5ubnNzc1ozkAgcPDgQZIkjUbj5cuXUSdfnrP2hXnTw8A4OD09XVtbu3Pnzvz8/NbW1sQ/UuEmZCgUQoOff/75rq4u1MmXA9yvw3AFYG35kkc4sFzWMNuxNSYYDFosFpIk9Xp9V1cX94ZAJyTe2NgYSZLoCSwSiej1+v7+ftYYPkcA8SSpMStgNU+aRqPx9u3bfM3U8TQ9HT9p0La07+Kd3XA31y2ZV7nWU5M/Ho9Hq9VutApAxPfK1hPWP1zi/v8lICnPVNC2kLPrKXU1a22hkArjdDr37Nmz0SqA9f1eGQAAQOr4/PPP8/Pzq6urp6am2tra2tvbN1oRsFn/tz8AAMCTUlFR0dfXp9Pp6urqmpqajh8/vtGKAGIbTdMbrQEAAAB4OoHnGAAAACBVQI0BAAAAUgXUGAAAACBVQI0BAAAAUgXUGAAAACBVQI0BAAAAUgXUGAAAACBVQI0BAAAAUgXUGAAAACBVQI0BAAAAUsX/AMB15OZZP+B8AAAAAElFTkSuQmCC) --- **Mirror:** [Click here to view the mirror](<http://1214931.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 3 July, 2020 15:04 GMT ---|--- Vulnerability Verified:| 6 July, 2020 07:47 GMT Website Operator Notified:| 6 July, 2020 07:47 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 6 July, 2020 07:47 GMT Vulnerability Fixed:| 7 July, 2020 10:06 GMT ---|---