logo
DATABASE RESOURCES PRICING ABOUT US

smartrecovery.org Improper Access Control vulnerability OBB-1319567

Description

Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[smartrecovery.org](<https://www.smartrecovery.org>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[IAC (Improper Access Control)](<https://www.owasp.org/index.php/Broken_Access_Control>)** / CWE-284 CVSSv3 Score:| 6.5 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **VighneshGupta ** Remediation Guide:| **[OWASP Access Control Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Access_Control_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAKWUlEQVR4nO3cbUhT3x8A8JPOXz5sPqTOp0lOzETERGTNMBOREhtjPmRhlkaSEiYkKWVhZZRgFFY2fFGRvgnChoiEyIgYMsLM1hpWIjLHmiXTXF1tydz9vTj873/c3V2nufIn38+rnbtzvufc7zl18NyrW0iSRAAAAIAHeP3tAQAAANi0YI8BAADgKbDHAAAA8BTYYwAAAHgK7DEAAAA8BfYYAAAAnrJx9xihUPju3TtXRbD5wBQDsPls0D3m/fv3drt9165djEWw+cAUA7AprbDHTE1N8Xg8xq8sFktra6ur4m/q6+uTSqWuipvJ+ubtvwtPMct6ozl79qyfn19XV9eae3S/LwDA2pGs9Ho9l8t15yuWmmsgEokGBwddFTeT9c3bfxc1xVardcXKZrPZy8tLo9HYbLY19wiZB+AP4PztPY7B9PT0+Ph4Tk4OYxFsPo5TvHXr1hXrEwTh7+8PB2sAbHxuPY+5c+eOUCgMDQ09duyYxWJBCFkslri4OIIgtmzZ0tXV5Vi8ffs2j8e7efNmRERESEhIRUXFz58/cZzXr1/v3buXx+PFxMQUFxd/+PCBsbu+vr79+/f7+PjQioWFhTdv3sQX3717t3XrVjwYhFB1dXVDQwN7hR07drA3pw3DebT4dOXWrVtCoTAgIODw4cOzs7MNDQ3h4eGhoaEnTpxYWFig2mZmZvr5+YWHhx86dOjz58/of4czra2t4eHhUVFRDx8+pKXRuQJC6NevXydPnuTxeNu3b798+fLy8jLuYnl5+cKFCxEREQEBAYcOHZqdnUUILSwsVFdXh4eHx8bGXr16FVc+fPjw9evXqfvKzMzs6upiDOs8gPv37x84cIBqe/HixYqKClqinDtlvJHp6emDBw/yeDyhUHjr1q2QkBDnGXc8v3LMdkhIyNGjR/F8zc7OOibN1V1TcBzGBYmY1vaKTQAA7lt5jyEIQqPRqNXq4eFhk8l0/vx5hFBQUNDHjx+5XK7Vai0vL3csFhYWEgQxPDw8MjIyMjIyOjra1taGQ0kkksrKSoPBMDQ0lJWV5evry9ijq4cxEolEqVTii/39/Xa7fWBgABeVSmVBQQF7BZlMxt6cNgzG0eJsDA0NaTQak8mUlJRkNpu1Wu2rV6/0en1TUxNuOzo6eurUqS9fvuh0OoFAUFtbSyXz48ePOp3u8ePHWVlZtDQ6V0AItbS0LC4uarXagYEBlUrV2dmJQ7W1tSmVSqVSOT4+Hh0dPTY2hhCqq6szmUyjo6MDAwN9fX1yuRwhVFpa2tvbi1tNT09rNBqZTOYqLG0AMplMpVL9+PGDmouioiJaohg7db6R2traf/75Z2JiQqlUdnd3s8w4hSAIrVaL157BYMDpDQ0NpSWNcQC0OIwLknFtszcBAKwO+1GaXq9HCH3//h0X1Wp1fHw89RXj8xjcxGAw4OsKhSIjI4Mkybm5OQ6Hw3jabjAY4uLi8GeCILhc7tzcnHPRZDL5+/vjCCKRqL6+vqysDPcYGBi4tLTEXsFgMLA3dxwS42jxrc3Pz+Pi0NCQl5fX4uIilZyEhATnu5uYmIiMjKSaU7fmnEbGCmFhYQRB4M8ajUYkEuHPfD5/dHTUsabNZuNyuZOTk7jY19cnFotJklxcXMS3T5KkXC6XSqWuwjIOQCwW9/T0UEOl5YSxU+c4NpvN19eXqqZQKIKDg/Fnxyl2zga19oaGhhjXnqu7dsww44JkX9uMTQAAq7Xy8xgul0sdX0RHR8/Nza3YxNfXNzY2Fn9OSkoyGAwIoZCQkJKSErFYnJubGx0dnZGRsW/fPiqsWq3GnwcHB0UiEXWQ4liMiopKTExUq9XJyckmk6m5uTkxMXF5eVmpVObl5fn4+LBXiI2NZW/ueAuuRsvlcoOCgnAdgUAQGBjo5+dH3YXZbMaf375929jYODY2trS0ZLfb7XY7lUzHMyLGbDtW+Pbtm9lsjouLw0W73c7hcBBCFotlbm4uNTXVse3MzMzS0pJQKKQyj/+v9PPzKygo6O3tPXPmjEKhqKysdBWWcYQymay/v7+4uLi/v7+goID2vMRVp7Q4MzMzdrvdsRr1FW3Gadmg1p5AIGBce64G4IhxQSLWte2qCQBgVf7oM/8nT568efNGp9OZTKb6+vo9e/bcu3cPIeTt7R0VFYXrsL+1XFBQoFQqJycnJRJJUFBQWlqaSqVyPOlir7Bic/bRnjt3zs07lclkVVVVnZ2dvr6+RqMxPz9/TQlDVqvVy8trZGSE2gO8vP5/vOnt7e1mnNLS0o6OjvLy8uHhYYVCQRAES1iaoqIifNjV399fWVm5ththsYlfTAcArO7dZb1eTx1xuHlW1tvby3jOoNFoBAIB7aLNZgsLC6POPWhFkiTVarVIJJJKpc+fPydJUi6X19XVRUZGmkwmdyqs2NwVPFqWbDgWZ2ZmOByOY1t8nfFlWdrpkHMFLpdLOxPD+Hy+RqOhZc/VqZHVat22bVt7e3tRURFLWFev86akpCiVyuDgYOpkib1T5zj4rEyv1+MidVZGm2KWbLhae6s9K6MWJHt8d9YwAGBFa99jCILgcDjj4+O0Iv73WVJSYjQadTpdWlralStXSJIcGxvLz89/8eKF2Ww2GAxVVVUSiYSKjE/5VSpVSkoKdZFWxPh8Pp/Px/WNRmNgYGBaWpr7Fdi/pR42MI7WzT0G9yKXy+fn58fHx2UyGcse45hGxgo1NTVisRj/ONXW1tbS0oKv37hxQyQSabVao9FYW1urUqlIkqyqqpJKpQaDQafTpaen3717l4pTVlYWGBj49OlTlrCu9pjm5ubU1FTn+cKcO2WMU1JSIpPJ9Hq9TqdLTU3FOaFN8Rr2GFd3TY3Q1YJccY9xbgIAWK21/y2ZgICAS5cupaWl4fdHqeKzZ8+4XG5GRkZ6enpWVlZqampjYyNCKCEhQSwW19TU4McbVqv1wYMHONTU1FRYWBhy79f78/LysrOz8VOBmJiYxMRE2kkXewWWb6lhsI/WHT09PY8ePYqMjMzOzo6Pj3c/jc7a29vFYnF+fn5CQsLLly/xm1QIocbGxpycnNzc3ISEBKPRmJycjCtHRkamp6fn5+dLpdLTp09TcUpLS+12u0QiYQ/LqKioSKvVlpSU4KJjotg7ddTR0WGz2VJSUiQSSVlZGb64LgdlzgOgjZBxQbJbQxMAgLMtJEmub8SpqamUlBTqbddV2blzZ3d39+7duxmL4G9ZWFgICwszmUzsLyy479OnT9nZ2V+/fv0DU7yGBfk7axgA4Ghj/Z7/p0+fWIrgbxkcHMzKylqvDQYhpNFo8I93MMUAbG4ba48BG5DFYuno6Dhy5Mhvxrl27Vp0dLRUKp2cnGxqampubl6X4QEANrIN+rf9wcbB5/ODg4OPHz/+m3FycnLkcrlAICgvL6+rq3P+mzQAgM1n/Z/HAAAAABj8HAMAAMBTYI8BAADgKbDHAAAA8BTYYwAAAHgK7DEAAAA8BfYYAAAAngJ7DAAAAE+BPQYAAICnwB4DAADAU2CPAQAA4Cn/Ak0ekw0rm/QTAAAAAElFTkSuQmCC) --- Research's Comment: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAJwklEQVR4nO3bXUhT7x8A8OMU9+Lmy9yWzplOwqSLLJTQsAKJMhthlC/ULozEIrTWIDEpW1oYlV6UmDeBelFdiXgRXgiBioSWLZvvYk6dr9tqNcca0/0uDv/D+Z+zs3OaOxr1/Vy5s/M8z/f77PvwjOfMII/HgwAAAAAs4Ox0AAAAAP5asMcAAABgC+wxAAAA2AJ7DAAAALbAHgMAAIAtsMcAAABgC+wxAAAA2AJ7DAAAALbQ7zFGozHof4KDg5VKZW1t7cbGBvqWSCQi3BwVFUXbkFXkqLYffh7YcPPmTT6f39DQsD2Z2my2uro6JHBzy7AfNM3W1tatj8gQlinCTiFhheFf539CbQPwezx0ZmdnhUKh0+l0Op0Oh0Ov1x86dKimpgZ7i3BzZGQkbUO2OZ3ObRjFB/w8BJzZbOZwOHq93u12b0+m+A86UCPS9oNPMyAjMkEo6YBPL74w/OicvOIA+MMxPSvjcrlcLpfP56empjY0NLx584bthlvB5XK3YZSdYrfbBQJBampqcHDw9mcaqBFp+8GnGZAR/cDq9P7dVQoAyp/nMTwez+12B6RhYWHhw4cPsZeZmZnowcivX78uX74sEokSEhLu3bu3sbGBnhLU1dVJpdLY2NiXL18iCDI4OHjkyBGRSBQXF3fu3LmxsTHk/88T1tfXr1y5IpVK4+Pj79+/jz/iq6+vVyqVUVFRFy9etNls5GgHBwczMzP5fL5UKs3PzzeZTL4bmkymkydPikSivXv3vnr1itzhxsbG7du3d+3aFRYWlp+fb7FYqIL0MZDFYklMTLTb7UFBQYSzsqWlpdOnT4tEIqVSWV9f7/VMhnBWQ55PQsoIgthsNqoR/Z5eLCqqm/FpoiXhYyx8FvgOw8LCCgsLLRbLrVu3pFJpdHT0pUuX1tfXqT5ffKatra2EqfutjwnPa2EQOvdayVQFg+d1WmjXBW0lkBcgeWgAmPjtPWZtbe3OnTt5eXkBaVhQUNDR0YH+vbS0pNfr0RtqamocDsfw8HBXV1dPT09zczOCIHa7fXx83GAwtLS0ZGVlIQiiUqmKi4vn5ub6+vqysrJ4PB5h0OvXry8uLg4NDXV1dXV2djY1NaHX7Xb78PBwf3//wMDA3NxcVVUVOeChoaHS0tLl5WWDwaBQKMrKynw3LCsrCw8PHx0dffv2rdc95vHjx93d3d3d3ZOTk3K5fHR01EeQVANFR0ePj4+jh5Bnz57F919WVhYaGjo9Pd3d3d3W1kb7iZDn02vKERERVCNuZXrxYZBvxqepVqt9j0XIwm636/X6vr4+vV6/uLiYkpJiNpuHh4ffv38/OzuLBUNOFp8pOihtskwypS0MhKKSqQqGNiradUH+CAhz6HUBAuAP2tO02dlZBEEkEolEIhGLxTwe7+rVq+hRMv4t7Ab88xiqhhiHwxEeHj43N+fxeJqams6cOYNel0gkdrsd/Rt9kIP2ZrVasbZWqzUkJIR8qI2dWbvdbqFQODMzg17v7OzMyMjAAvvx4wd6va+vLykpyfckTE9Px8TE+Gjodrt5PB6aiMfjaW9vJz+PkclkQ0NDhIteg/QdIZYg/nQeDQDrBwuAcIKPPQ8gz6fXlH2P6Pf04jukupn5WPgs0Cvfv3/HOuRwOA6HA33Z39+/Z88eH8niB6UNgEmmVIWB75yqkskFQ/g0vUZFuy6wlz4qgbwAyZMGABMhTPYhgUCg1+sRBOFwODKZDH8+jr2FWlhYyMnJYdIQxefzc3NzOzo6ysvL29vbi4uLEQT59u2b2WxOTExE79nc3AwJCUEQRCgU4n+sFRUVdf78+YyMjOzsbLlcnp6efuzYMXznq6urLpdLqVSiL1NSUtDlhHaFnRsoFAqr1UrO+tOnTxUVFaOjoy6Xa3Nzc3Nz00fD1dVVBEHi4+OxsQi92Ww2q9W6f/9+wnWqIJlESOhnc3MT34/v+xHSfFKl7GPErUwvPgzam32PRchCKBRGRERgHYaHh/P5fPSlXC43m80BTJY2eNrCQCgqmapgaKOiXRdkhDmkWoAA+IFR6XA4nLi4OCZvER63+GiIKSgoaGxsVKvVAwMD7e3tCII4nU4Oh/PhwwessjkcjsvlIrd9/fr1x48fDQbD4uKiVqs9fPjw8+fPmWTERF5eXklJSXNzM4/HI+ydftvBx9dMsJHyH+uPSpZcyQ8ePED8LZgtrguvC9CPMABAGO4xrMrNzS0pKWlrazt+/Dj6lTA2NlYgEFit1oMHD2K3GY1Gr83T0tLS0tLQflQqFX4tyWSy0NDQr1+/ol/0xsfHsa9mtNbW1hYXF+/evYu+xL78UpHJZAiCzM/Po99YJycnCTdERESIxeLPnz+npqYSGvodJKEfDodjNBoTEhLQftDrYrHY4XD8/PkTnduFhQWqHvxIOSCRMxHwsbYtWdrCwJAr2WvBMIzKa28MK8HrAgTAPzv/9YTL5ebk5FRXVxcVFWEX1Wr1tWvXRkZGlpaWnjx5UltbS244NjZ26tSpd+/eWSyW+fn5xsbGAwcO4G8IDg4uKirSaDTz8/MjIyM6ne7ChQsMo5JKpWKx+MWLFzabbWpqSqfT+b4/ODg4JydHq9WaTCZ0LPI9Go2mtLT0y5cvJpOpvLy8t7d3i0ESAlCpVBqNxmg04gMQiUTp6elarXZlZWVqaqqystKPlCUSidPpnJqaIowYkMiZCPhYVMl6zXQrATApDKpKJheMWCx2Op0TExPoD728RkXVG/NKQJgtQAAYoX1i4+Pfvpj8DyaTh0IdHR1CoRB7MOvxeJxOp0ajUSgUAoEgNzd3ZmaG3JvL5dLpdMnJyaGhoTKZTK1WLy8vE8a12+2lpaUSiUShUOh0OvS/+agefhL09PSkp6fzeLyYmBitVhsZGem74cLCwokTJ4RCYXJy8tOnT8l9ut3uiooKiUTC4/Hy8vLMZjNVkL4H8voE3uPxLC8vq1QqoVCYmJj46NEjrMn09HR2drZQKNy3b9+zZ8+8/haAKmXsLZ1OJxAI6uvr8a38nl6qFHzUD5OxaEfHv6RKFs20paWFNgCGheS1MPBtqSrZa8FUVlai4VFFRdWb53cqgbwAyXkBwESQx+PZ6W0OBN7ExMTRo0dXVlZ2OhAAwD9t58/KABv0en1SUtJORwEA+Nft/DN/ECi1tbVyufzMmTMzMzNVVVXV1dU7HREA4F8HZ2V/j97eXo1GYzAYdu/eXVZWduPGjZ2OCADwr4M9BgAAAFvgeQwAAAC2wB4DAACALbDHAAAAYAvsMQAAANgCewwAAAC2wB4DAACALbDHAAAAYAvsMQAAANgCewwAAAC2wB4DAACALf8BZQhTVH246wkAAAAASUVORK5CYII=) --- **Mirror:** [Click here to view the mirror](<http://1319567.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 10 September, 2020 05:27 GMT ---|--- Vulnerability Verified:| 15 September, 2020 11:22 GMT Website Operator Notified:| 15 September, 2020 11:22 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 15 September, 2020 11:22 GMT Vulnerability Fixed:| 21 September, 2020 16:15 GMT ---|---