logo
DATABASE RESOURCES PRICING ABOUT US

studioilgranello.com Improper Access Control vulnerability OBB-1232731

Description

Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[studioilgranello.com](<https://studioilgranello.com>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[IAC (Improper Access Control)](<https://www.owasp.org/index.php/Broken_Access_Control>)** / CWE-284 CVSSv3 Score:| 6.5 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **Badalsardhara2 ** Remediation Guide:| **[OWASP Access Control Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Access_Control_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAOgUlEQVR4nO2db0xb1RvH70plBW4ZjNJBxxwsBBdDcCGEMMOm2YuNYNPUjv3JxG0qmQYrkkWXjZmJW9yQicHJCC80Gb5QYwwhhCxkIcZ0hCyItWKpXSWzrR0gdpXiHRbCen8vTry53nvu7aXlQvvj+bzquT3nOd8+39P7rKflbANN0wQAAAAAyIBirQUAAAAA/7dAjQEAAADkAmoMAAAAIBdQYwAAAAC5gBoDAAAAyAXUGAAAAEAu4rfGFBQU/PTTT0JNIK4AdxjiMxXxqSoiCSqbSGTlK06c1piff/45HA4/9dRT2CYQV4A7DPGZivhUFZEElU0ksnI5iFBjPB6PWq3GPhUMBq9cuSLUjJG+vj6DwSDUjChGCh6PJzMzkxB9jUxP1CFiT1lhz762Sjggd+JEkpCMFZeHDRhxocYyHVquUSCrKvlMl082kcjKE47oP8fMzs5evnxZqBkjy60xscy+fft2v98fS4d1zvp8R2FXRXymIj5VRSRBZROJrFwO4nGvbGpqyuVyPfvss9imHGzcuDHGDuuWVXAnbuGsivhMRXyqikiCyiYSWblMSKoxH3/8cUFBQVZW1osvvhgMBgmCCAaD+fn5FEVt2LChu7ub3fzoo4/UavXVq1e3bNmSmZl54sSJf/75B8X5/vvv9+zZo1art27devDgwV9++QU7XV9f3/79+x977DF+ExuBPzsTirPDcP/+/QMHDqjV6ieeeOKLL75g+jBDHj58+Oqrr2ZnZ2/btu2999579OgRIfqxempq6rnnnlOr1QUFBW1tbezNtytXrmRnZ+fm5n722WdI+e7du1NSUrKzsw8dOnT//n3Ura2traCgIDMz84UXXkC5RSwsLLzyyitqtXr79u3vvvsuUiICVjmbR48enTt3bsuWLWlpaYcOHXrw4IHQQLawtLS0I0eOPHjw4O23387Ozs7KynrppZcePnwoZNYHH3zA911oaonrQSgCP6VMf6wMNtixWDfFXWbHZFJx5MiR999/n7m+e/fu7u5uAuep+BrALlcRyzhLjqNKuq3YtSRkIsP4+HhWVtbt27dRE7uA+TqvX79+4MABJsj58+dPnDgRnWz5lEuXTfDeEUDkGkNRlM1mGx4eHhkZmZycPHv2LEEQmzZtcjqdJEmGQqHa2lp28/nnn6coamRkZHR0dHR01Gq1tra2olB6vf7kyZNer3doaKiyslKlUmFnFNkow0bgzC7yWsxmc3p6usPhuHnzJvtNy9DQ0DA5OWm1WgcGBvr6+jo7O8WTYzabk5OTJyYmBgcHP//8c3bSnE6n3W6/ceNGZWUlQRBWq/XUqVPT09N2uz0vL89sNqNuY2NjKLder7epqYmJcPHixfn5+bGxsYGBAYvF0tXVJa4kovLW1tbBwcHBwUGXy6XT6RwOh8hAZPrQ0JDNZpucnNy5c6ff7x8bG7tz547b7WbrZLtDUdTov7B9F5pa4noQioBNqYgMNtixQm4KXefApOLw4cO9vb3o4tTUlM1mMxqNhICnImtAaLkKWcZZcliDpNiKjS9kIiIYDJpMppaWlj179qArQguYo9NoNFoslr///ptRazKZopMtq3KJsgnYKONDi+J2uwmCmJubQ83h4eEdO3YwT5Ekye6JmmiI1+tF13t6esrKymiaDgQCSqUyFArxZ/F6vfn5+egxRVEkSQYCAX5TJAJ7do6qjIwM9HhpaUmlUrGFoaeYIUtLSyRJ3rt3D3Xo6+urqKgQCY4CMv3ZAQmCYF4Cn4mJiZycHE5uh4aGmNzSNK3RaCiKQo9tNlt5eTl7dr4SrHI2Wq3WarVyLmIHImGzs7OMMIVCMT8/j5rDw8OFhYXoMdsdId+FphZxkw82AhuUUhEZnIzxxwq5KeIyOyA7FfPz8+np6UhDZ2enwWBAfbCeCq0BoeUqYhl/yfENimir0FrCWsAkobq6ur6+nv0U/8XSAm+NioqKb775hokWCoWikC2rcomyad7tC6BpWhmxCJEkyewJ6HS6QCAQcYhKpdq2bRt6vHPnTq/XSxBEZmZmTU1NRUXFvn37dDpdWVnZM888w4QdHh5Gj2/dulVeXs5sU7CbIhGkMDMzQxAEWxi/w+LiYkFBAdMBrS2RgOFwmN2feYokSc6vgH788cczZ844HI7FxcVwOBwOh4n/5jYvL4/J7V9//eX3+/Pz81EzHA4rlWJORVQeDAYDgUBJSYnEgSRJbtq0iRGWnp6ekpKCmjqdjvmum2MW1nehqYXczM7OZvr8+eefIhGwKRWSEXGskJsiLrNhpyIlJaW6urq3t/eNN97o6ek5efIkIeyp0BoQWq4ilvF/eMYxSIqt2PhCFiDOnz8/MDDw6aefMldEFjBfp9Fo7O/vP3jwYH9/f3V19caNG2/evLlc2XIrlyKbn3CAIIjINWYF+fLLL3/44Qe73T45OXn69Omnn376k08+IQgiKSkpNzcX9RH/RZlQhPjHaDTW1dV1dXWpVCqfz1dVVSXSORQKKRSK0dFR5p2pUCgWFxdj1JCUlBRjBA7StwWwU2PdtNlsEiMsK6UrOBYLJxWHDx/u6Oiora0dGRnp6ekhZPN0WapiBGvi/Px8T0/PV199ZTabTSYTKgbYFysU1mQyoc29/v5+VI9XfLspRuVYm/iy5VD+/4D4xxyRrSeJe2W9vb3Mngkbm82Wl5fHubi0tKTRaJhPu5ymSARm9rm5OYVCwd58ENor6+3tXZG9MrfbjZpCuyg0Tc/MzCiVSrbyjIwMkdzSNE2SJOcDfux7ZTabjXNRaONFRBjT5Lgj4jt2ag7Y9SAiHptSERnsF4UdK+SmFJf5CzUUCm3evLm9vd1kMjEXxT2lRbd2meUqxTKsKum2Cu048U10u91KpdLhcNA0rdfrzWazyIvla2AoLi4eHBzMyMiYm5uLTrasyqXIpiPdr9Yt0dcYiqKUSqXL5eI00Zu8pqbG5/PZ7fZdu3Y1NzfTNO1wOKqqqr799lu/3+/1euvq6vR6PRMZ7WZaLJbi4mLmIqcpEoEtpry8vK6ubnp62uVyVVZWslek0WhkC+PfLOrq6gwGg9frtdvtpaWl165do/9bwJRKpdPpXFpaQv1ramqMRqPb7bbb7SUlJUI1hqZprVbb2dk5OzvrcrmMRmPEGvPaa69VVFSgf+O3trZevHiRPTtfCVY5+9uOy5cvl5eXj42N+Xw+s9lssViEBkp8V3PcEfJdaGrx9cABG4GfUhEZnIxhx2LdlOIyJxWIY8eOpaenf/311yKeiqcau1ylWIZVJf1mjV1LWAvYMZ1Op0qlGhsbE3qxfA0MFy5cKCkpQQsgatnyKZcim68cQERfY2iabm5uTk1NvXHjBrvZ1tZGkmRLS4tWq83IyDh+/Dj6gm5xcbG5ubmoqCg5OVmr1dbW1k5PT3Nmeeutt5qampj4nKZIBLaYiYmJffv2kST55JNPXrt2jS3Y5/Pt37+fJMmioqIPP/yQf7OgKOrUqVMajSYvL6+5uRndj9gdzp49y37J09PTer2eJMn8/PyWlhaRGmOxWMrKylQqVU5OzunTpyPWmFAo1NjYmJeXl5qaWl1djf5xxJ6do4SvnP9Z58yZMxqNRqVSGY1Gv98vcaDQu5rjDhrV2trK8V1oanE3OWAj8FMqLoOdMexYrJtSXOakAtHb20uSJDM71lPxVGOXqxTLsKqk36yx7wKsBZyYDQ0Ne/fuFXqx/P4MaIMUWRO1bPmUS5HNVw4gItSYKBD5AU9EioqK7ty5I9SMc5xOp1arXWsVq0diubNchNzEXo/PVMSnKiwURalUKvRzrASVTSeU8tVkVb/zj8jdu3dFmnGOzWbbsWPHWqtYPRLLneUi5Cb2enymIj5VYbl161ZlZSX6OVaCyiYSSvlqEl81JuG4dOmSTqczGAz37t1ramq6cOHCWisCokfITXBZVoLBYEdHx9GjR9dayPJIUNlrwIp/MoplryzhsFgspaWlycnJhYWF7e3tay0HiAkhN8FlWUlOTjaZTBL/Gjd+SFDZq88GmqZjKVEej6e4uJg5UyEYDHZ2dp47d47/FAAAALDeiLXGEASxsLDAHEDLqSvspwAAAID1xgqc7S9SRaDAAAAArGeWUWMinnDOOfCf/ZTIWKGDzSUeYL7cM/ABAACAVWMZvytjTjinKIo5yJoNOmO/rKzM7/crlUqfzxdxLHOwOUVRL7/8clNT0/Xr19FTDQ0NMzMzVqt1bm7u+PHjmzdvNhgMzAnbNpsNnVvHHMQdCoXq6+u7urpef/316HIBAAAArDASfxsg8YRz7Jla4mfgCx1sLvEAc+wR4gAAAEA8IPVzjMQTzpc7VuRgcykHmC/3DHwAAABgNUnsO/KyjhAHAAAAVhmpd2StVqtQKDweD2o6nU7pc0QxVqvVJicn//bbb8wQ5sMKm9zc3NTU1EAgsPVfmP+HBgAAAFhzIteYhYUFgiCSkpL0en1jY6PH4xkfH29ubsZ21mg0oVDo119/ZV+UOJYz5OjRo42Njb///jsacuzYMWzP2tra+vr68fHxqampq1evXrp0KWJwAAAAYHWIUGM8Ho9Go0GPOzo6lpaWiouL9Xq90B0/LS3tnXfe2bVrV3d3N/u6lLEc2tvbc3JySktLq6qqDAZDfX29ULeKioqqqqrCwsLvvvuutrZWSnAAAABgFYjy7/zv3r27d+/eP/74Y5XHAgAAAAlElN+Qx3KO/Xo7Ax8AAGDdsozflcVywjmcjg4AALAOWcZe2e3btxsbG+12++OPP242m998803p08QyFgAAAEhQVuDcZQAAAADAAn+xCAAAAMgF1BgAAABALqDGAAAAAHIBNQYAAACQC6gxAAAAgFxAjQEAAADkAmoMAAAAIBdQYwAAAAC5gBoDAAAAyAXUGAAAAEAuoMYAAAAAcgE1BgAAAJALqDEAAACAXECNAQAAAOQCagwAAAAgF/8D0r0zQB5XMmEAAAAASUVORK5CYII=) --- **Mirror:** [Click here to view the mirror](<http://1232731.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 20 July, 2020 10:49 GMT ---|--- Vulnerability Verified:| 21 July, 2020 10:03 GMT Website Operator Notified:| 21 July, 2020 10:03 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 21 July, 2020 10:03 GMT Vulnerability Fixed:| 21 July, 2020 14:14 GMT ---|---