logo
DATABASE RESOURCES PRICING ABOUT US

hihaydockm6j23hotel.co.uk Improper Access Control vulnerability OBB-1221115

Description

Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[hihaydockm6j23hotel.co.uk](<https://www.hihaydockm6j23hotel.co.uk>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[IAC (Improper Access Control)](<https://www.owasp.org/index.php/Broken_Access_Control>)** / CWE-284 CVSSv3 Score:| 6.5 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **howardpotts ** Remediation Guide:| **[OWASP Access Control Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Access_Control_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAMuklEQVR4nO2cf0xb1RfA37oKFVpgtBQYnRtkgiFEyYKVGWYMIRs2DenqxkhFho4wYpqqZDPIjCLBjTC2KCIhRs00y1yMwaZZCDHNslRCDGLT1a52DSGs6d6Idkih7Tro9r5/3O/3ft/eLzqgA5fz+eud+8695wfn9vTdlm6iKIoAAAAAgAQgWm8HAAAAgMcW6DEAAABAooAeAwAAACQK6DEAAABAooAeAwAAACQK6DEAAABAoti4PSY/P//q1at8IgCsI1CNABAnG7TH/PHHH/fv33/uuec4RQBYR6AaASB+lukxN27ckMlknLeCweCpU6f4xFVisVhqamr4xEcAX+D0cYHkrNjoli1bVjBrTdxYWFjIzc29fv0658p///33a6+9JpfL8/Ly3n333bt37xIEcf369VdeeSU9PT07O/vIkSPBYHBl/ixbPGue6tXYevTVuBri3Jhru38BALPy55i5ubmTJ0/yiatk3XsMH9u3bw8EAuvtRULo6+urr68vKirCI/RgGxoaJBKJy+Wy2WxOp/ODDz4gCEKj0ahUKo/HY7fbo9FoS0vLykyvbfEkmo1TjfEQZ27/XX8C4F+EeL0d4ODWrVter/fll1/mFNed5OTk9XZh7VlYWLh48eLY2BhjHAUbDoevXLkSCARSU1MJguju7jYYDF1dXSaT6c0330Tv+tva2jQazaP3/BGz0aoRADY4cT3HfPbZZ/n5+XK5/PXXX0fnIcFgcMeOHaFQaNOmTd9++y1dPHv2rEwmO336dHZ29pYtWw4fPnznzh20zm+//bZnzx6ZTJaXl/fqq6/++eefnOYsFsvevXufeOIJhrh///7Tp0+jwatXryYnJyNnCII4evTo8ePHhRWefvpp4enxBM4+SGHroEh379795JNPZmVlHTx48ObNmwRBfPHFF/v27cMTT5w4cfjw4Zs3b+7bt08mkxUVFV24cAHfDYfDR48ezcrK2rZt28cff3zv3j00fu/evffffz87Ozs1NfXgwYO3b9+mO3Pt2jW5XP7LL79gV8+cOZOfn5+amnro0KHbt28fP348KytLLpe/8cYb4XAYT+zv7z927BgjNBxsamrqnTt3UIMhCGJxcTEpKSk5Ofntt99GCktLS+fPn6+srBROC2dQjFoiCOLu3btHjhyRyWTbt2//6KOPcOyc8CWEL4GM0LDIeUpJzyeCXpyc9czpPDJ36tSprKys3Nzcr7/++tChQ5988gledvfu3Xyxs+fypYLtDzu3nJXJ3r98mYlzCwMAZvkeEwqFHA7H2NjY+Pg4SZJtbW0EQaSnp3s8HqlUGo1G6+vr6eL+/ftDodD4+PjExMTExITdbu/p6UFLabXaxsZGn883OjpaUVEhkUg4LfIdlGm1WqvVigYvXbp0//79kZERJFqtVo1GI6yg0+mEp8cTeJw6dru9ubl5ZmbG5XKpVCqj0UgQhE6ns9lsCwsLOC69Xm80GtPS0txu9/DwML3HmEwmkiTtdvvIyIjFYhkYGEDjPT09VqvVarV6vd6tW7e63W48JRgM6vX67u7uPXv20N0bHR11OBwkST7zzDOBQMDpdP7666/T09Pt7e1ILRwOnz17trOzMy8v78SJE8Kv6QRBdHV1NTQ0YPGnn35KSUkZHx//8ssvhdPCGRSjlgiC6OzsjEQiTqdzZGTEZrMNDg4KOMOXEL4Exg87n8SDxclZz3zOh0Ihj8fjcrnOnTtXUVFRW1trNpvRrVu3bjkcDp1OxzedMZfPYbY/7NxyViZj/wrkJM4tDAD/hxJkenqaIIj5+Xkkjo2NFRQU4FtSqZSuiUQ0xefzofGhoaGysjKKomZnZ8VicTQaZVvx+Xw7duxA16FQSCqVzs7OskWSJFNSUtAKarW6tbXVYDAgi2lpaYuLi8IKPp9PeHo8gdOjFkgOncnJyZycHHRdXl7+448/4nUikYhEIqHnKiMjg6KoWCwmlUqnpqbQuMViKS8vR9dKpdJutzNcRS5pNJq33nqLEcLc3BwSR0dHRSJRJBLB3u7cuRNd9/b26nS6QCAwOTlZUlLS19fHWJlOR0dHVVVVLBbDI5FIxGazlZSUDA4OCqRFICiGIYVCEQqF0LXD4VCr1Zye8CVE2BanxenpaZR5gXxSD1YjXz2zncc5wVWNkoZqkqKogYGBmpoagdgZcznh80cgdfTKpO9fvswIbGEA4GP5HrPsVmSI09PTEokEj7vdbqVSia7r6upKS0tbW1t7e3uvXLmCdWKxGEmS6HpoaKiyshLfYoilpaWXL1+emZlRqVRzc3NKpTIWi3311Vd6vT4ehWWnLxs4o8fwJcdut1dVVW3dulWhUGRmZuLx7u7uxsZGiqL6+/tra2tJkmTkCmmSJJmUlITHvV4vei2Ym5sTi8X013fsRnt7u0gk+uabb5YNgS0WFhbiPmexWNB7AvYKFEWZzeaCgoJAIECxGB4e3rVrl4BdvqAYU2ZnZwmCUPyPzMxMpVLJ90LJmRBhW8smhy+fFKsa2fXM6TxnJtF01M6rqqrOnz//ULEraAj4wzbNV5nx9Bg+EwAgwCP9zP/777///fffXS4XSZKtra0vvvji559/ThDE5s2bc3NzkY7wN8o0Go3Vap2amtJqtenp6aWlpTabjX7SJayw7PS1QqfTNTU1DQ4OSiQSv99fXV2NxvV6PTrruHTpUmNj48oW37x5M2MkEokMDQ1dvHjRaDTq9fr09PT4V/vnn3+mpqa2bduGxMLCQpIkOTWvXbvW0tIyMjIil8sJglhaWnI4HM8//zy6W1BQwDfxoYhGoyKRaGJiQiz+b3GKRKLFxUWBKeyErBK+fDKqkV3PqDMxnOezUltb29/fX19fPz4+PjQ0RDxM7A6Hgz3It7/o8FVmnMRjAgAeQLgFrew5hqCdlZnNZvy+mI7D4VCpVIzBWCymUCjwEQdDpChqbGxMrVbX1NQMDw9TFDUwMGAymXJycvBjkLDCstOXDTye55i//vpLLBbTI6W/EywpKbFarRkZGfPz87FYjH5WZjab4zkrczgcDFfFYrHb7aYoSqvVGo1GYfcYInpdw7bMZjPnEdbs7OzOnTsvXLiAV4hGo2KxGJ/hWCwWfC7EaTf+szKpVMp3HsiGnRBhW4j5+XmRSIQP9EZHR+mFzZlPdjXSwfXMdp7P/2g0mpmZ+emnn9Ifox8qdgGwP/TpApWJ1QQyw2cCAARYeY8JhUJisdjr9TJE1GMOHDjg9/tdLldpaWlHRwdFUW63u7q6+vLly4FAwOfzNTU1abVavDI65EXH+niQISKUSqVSqUT6fr8/LS2ttLQ0fgXhu/iseZVnZUqlcmBgYG5uzuv16nQ6+i798MMPn332WRy7Tqej5wprNjU11dTU+Hw+l8u1a9cu/BnJyZMn1Wq10+n0+/1Go9Fms9Hd8Hg8EonE6XQKu8cQdTpddXX19PS00+ksLi7GB0R4hVgsVlVVZTKZojQoitJqtXV1dX6/3+FwFBcXDwwMCNvlC4pRSy0tLeXl5ejNck9PT2dn5/z8vFgs9ng8+FgM/6XYCRG2hSeq1eqmpqaZmRmv11tRUcH55omeT0Y18tUz23l2TjAGgyEtLe2HH37AI+zpcfYYPn8YueWrTLoaX2aEtzAAcLLyHkNRVEdHR0pKyrlz5+jimTNnpFJpd3e3UqnMyMhoaGhAnzMvLi52dHQUFhYmJSUplcr6+vqZmRmGlWPHjrW3t+P1GSLCYDAcOHAAi2VlZQwdYQWBu/H0jzh7jM1mKysrk0gkOTk5ra2t9KShUw6cNL/fv3fvXqlUWlhY2NvbS9/zzc3NCoVCpVJ1dHTg19ZYLPbee+8pFAqJRII+qGe4YTKZXnrpJWH3GGIgEDAYDJmZmU899VR3dzddh/5sSgc/sdXV1WVkZKhUqq6urmXTwhcU9WAtRaPRd955R6VSpaSkaDQa9OjQ1taGFegm2AkRsEWfODk5WVlZKZVKi4uL+/r6+B7QcT4Z1chXz5zO8/UJs9mMvvqBR9jT4+wxAvuLnluBysRqfJkRMAEAfGyiKGptD99u3LhRUlKCv6H7UBQVFX333XcvvPACp/h4EA6HFQoFSZIr+NmYR8xq/pSPH49lNQJAotlY/+dP/7Estvh48PPPP1dUVGz8BgMweCyrEQASzQb93eXHlWAwiL61vN6OLM/S0tLY2JhKpVpvRwAA+BcDPeaRgj+jWm9Hlqe5udloNMLvJAIAsBrW/vMYAAAAAEDAcwwAAACQKKDHAAAAAIkCegwAAACQKKDHAAAAAIkCegwAAACQKKDHAAAAAIkCegwAAACQKKDHAAAAAIkCegwAAACQKKDHAAAAAIniP8zqeY0r0pWfAAAAAElFTkSuQmCC) --- Research's Comment: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAG7UlEQVR4nO3aX2hSfRgH8LMlTbeja6G2lmMrwkXEiBjiwig2qCFjSG0rwotRsiLWH7wYq5ts0Eaji7CQMQjWTUEXIrsYEqMLWTetTIaYyIh1cCZiNs2ZE+d5Lw4c5OjRFZ35vi/fz9U8Ps/zezwXPvPRKpqmCQAAAAFUV7oBAAD438KMAQAAoWDGAACAUDBjAABAKJgxAAAgFMwYAAAQCmYMAAAIBTMGAACEUn7G/Pz58/bt2y0tLRKJpK2t7dGjR1tbWzvQ2TbF4/HJycm/FfZbvn792tDQwPwhlUr/IP0Psn6rPtMeAECllJ8xV65coSjqzZs3FEXZbDan0+l2u3egs21aX1+fmJj4W2F/pqWlJRqNClQcAOC/S1T66V+/fjkcjmg0Wl9fTxBEd3d3d3f3jjT2H1NTU1PpFgAA/nXKfI7J5XIEQYhERUbR5ubm1atXpVJpS0vL/fv3mQUas/+ZnJxUKBT79+9//vz5xYsXHz58yGZ1dna+ePGiaHphLufEpaWlU6dOSaXSAwcOXLhw4fPnz/F4vLW1NZlMVlVVMWWXlpY6OzslEolCoRgYGFhbWyMIghPGWVLl75QKj+D0sLa2du7cOalU2tbW9vLlS7YCW5CvwtbW1t27d/ft21dXVzcwMPD9+3dO5Y2NjWvXrikUiubm5gcPHrALyaIFi958vvYAACqlzIypq6vT6/WXLl169+7dxsZG/lPj4+OpVGp5ednpdLpcrunpaeZ6Mpn0+/1er3d2dlan0w0ODjocDuapb9++eTweg8HAl87J5TTT29s7NDREUdTi4qJOpxOLxfX19X6/nyTJdDptNBoJgnC73cPDw+Fw2Ov1qlSqkZERgiAKw/gUHsEJGBkZkclkPp9vfn6+6Js4X4WpqamFhYWFhYVAINDU1OTz+TiJt27dCoVCbrfb6XTOzc3ZbLYSBfluftn2AAB2FF1OIpEYGxtTq9Uikejw4cMWiyWbzdI0LZfLk8kkE+PxeDQaDU3Tq6urBEHEYjE2PZVKyWQyiqJomrbZbH19fcz1wvTC3HyxWEwkEqXTac711dVVkiSLpqysrDQ2NhaGcVJWV1f37NlT4ghWNpsVi8XMa6Fp2m63M4lswRIVlEql2+3m6zybzZIk+eXLF+bh3NycVqstUbDozedrDwCgUsp8H0MQBLO/mpyc3NzcdLvdZrM5m82azeZoNNra2srE5HI5dp9GkmT+z5kkEoler3c4HDdv3rTb7UNDQwRB/Pjxo2g6JzdfQ0NDf3+/Vqvt6upqamrq6Og4ffp0YdinT59GR0d9Pl8mk8nlcsyub5vKHhGJRAiCaG5uZh4eOXJkmxXi8XgsFmtvb+c7OhKJZDKZgwcPspWZiVu0IN/dK9seAMAOKz9jWDU1NZ2dnVar1Wg03rhxo7q6+sOHD+xoqa7mXbsNDg4+e/bMaDS+f//ebrcTBJFOpwvTM5lM6QZevXr18eNHr9cbCoXMZvPJkyefPn3KiTEYDCaTaXp6WiwWB4PBnp6e7b/AbR7xxxV27dr1W6X4Ct67d2/7Nx8AoJLKftJhdzIMl8t16NAhmqZJkuQsf2iezVU6nd67d++TJ0/Onz/PXixML7H1KuTxeFQqFScrEomIRKL8GHZZlB+WSCSqq6sTiQTzcHFxsehOiT2CxVlGORwOzq6sRAWlUunxePheL9+ujK9g0ZvP1x4AQKWUmTF+v1+pVM7MzIRCofX1dZfLdezYsYmJCZqmr1+/rtVqmf+vp6amxsfHaf5328uXL8tkstevX7NXCtNLzxifz9fT0/P27dtoNEpRlMlk6u3tpWk6mUyKRKJAIMCEKZVKm822vr4eCAQMBgP7JssJ02g0JpMpHA4HAgGdTseE8R2Rz2Aw9Pf3B4NBr9d7/PhxzowpUWFiYkKj0SwvLweDwZGREZfLlUgkRCKR3+9nvt8ymUx9fX0URXm93hMnTlit1hIFi958vvYAACql/OeY+fn5M2fOyGSy2tra9vb2mZkZ5no6nb5z545KpaqtrdXr9cz/4HxzwuFwkCSZSqXYK4XppWdMJpOxWCxqtXr37t1KpdJoNIbDYeYpi8VSW1s7OztL07TL5ero6BCLxY2NjWazOf9NNj9sZWWlq6uLJMmjR49arVYmrMQRrGAwePbsWZIk1Wr148ePOTOmRIVsNjs6OiqXy8ViscFgiEajNE2PjY2xLSWTyeHhYblcrlKp2B9W8BUsevP52gMAqJQqmqYrva4DAID/J3xXDAAAQsGMAQAAoWDGAACAUDBjAABAKJgxAAAgFMwYAAAQCmYMAAAIBTMGAACEghkDAABCwYwBAAChYMYAAIBQMGMAAEAomDEAACAUzBgAABDKPxhfovkHtlDYAAAAAElFTkSuQmCC) --- **Mirror:** [Click here to view the mirror](<http://1221115.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 10 July, 2020 17:44 GMT ---|--- Vulnerability Verified:| 13 July, 2020 10:21 GMT Website Operator Notified:| 13 July, 2020 10:21 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 13 July, 2020 10:21 GMT Vulnerability Fixed:| 13 July, 2020 10:54 GMT ---|---