Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:
      a. verified the vulnerability and confirmed its existence;
      b. notified the website operator about its existence.
Affected Website: |
checkinsaopaulo.com |
Open Bug Bounty Program: |
Create your bounty program now. It’s open and free. |
Vulnerable Application: |
Custom Code |
Vulnerability Type: |
IAC (Improper Access Control) / CWE-284 |
CVSSv3 Score: |
6.5 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N] |
Disclosure Standard: |
Coordinated Disclosure based on ISO 29147 guidelines |
Discovered and Reported by: |
VighneshGupta |
Remediation Guide: |
OWASP Access Control Cheat Sheet |
Export Vulnerability Data: |
Bugzilla Vulnerability Data |
JIRA Vulnerability Data [ Configuration ] |
|
Mantis Vulnerability Data |
|
Splunk Vulnerability Data |
|
XML Vulnerability Data [ XSD ] |
|
Vulnerable URL:
![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAIkElEQVR4nO3cb0gT4R8A8Cc1m/OW7q86Z7qKsggLGmaQFr4IEgn7I0WtLAIDSbFRola0Cko0gySqFxLZm3olMSIkhMBkiMq6Zv6X0pnTaluu5prDbb8Xx+/Yb7vnNrUz7ff9vLrv7e77PPd9jr7sbrbK5/MhAAAAgAMRf3sCAAAA/lnQYwAAAHAFegwAAACuQI8BAADAFegxAAAAuAI9BgAAAFeWb49RKpUfPnzAhWBFgFUD4P/cMu0xPT09Xq93+/btjCFYEWDVAAAheszY2JhAIGD8yG6337lzBxcukk6nO3jwIC4Mf5LhwyX5I8mXzLKaLbVq4U/p4sWLMTExTU1NCx5xWV0+AAAt5nvM9PT07du3ceEizavHcCo1NdVisfyVoVc6atXCLKDVam1oaOjo6FCr1UswNwDA0oj62xNgMDk5OTQ0tG/fPsZw6a1Zs+ZvDb1y+a9aOAV0OBx8Ph8erAHwjwnre8z9+/eVSqVYLD516pTdbkcI2e32tLQ0h8OxatWqpqYm//DevXsCgaCuri4hIUEoFBYVFf3+/ZvK09XVlZ2dLRAIkpOTjxw50t/fzzicTqfbv3//6tWrg0OPx1NVVZWQkBAbG1tYWGi1WlkmiRCanZ09d+6cQCBITU29fv26x+Oh9rPkQQj19vaKxeJ3794hv8cv1EZ9fb1SqRQKhSdPnqRHwV1aV1fX7t27Y2JipFJpYWHhxMQEdfDMzMz58+elUmlKSsqNGzc8Hg+VHFe04CQBD4XGxsaEQiFjMYPHCjgAVwrcJKkKxMbGHjt2zGq1Xr58WSqVisXis2fPzszMBC+i/1RxNbRarf63U8hps5QLdyewnwIA4EjoHuNwOEiS1Ov1nZ2dZrO5srISIRQXFzcwMEAQhMvlUqvV/uGhQ4ccDkdnZ2d3d3d3d7fBYKitraVS5efnnzlzxmQytbe379mzh8fjMY7I8qCstra2tbW1tbV1aGhILpf39fWxTBIhdPPmTafTaTQaW1pa2traHj9+zJ4HIWS32w8fPlxTU5OdnR1cCqPRSI1iMpmqq6vpjxgvzWAwFBcXT01Nffz4UaFQXLhwgTq4rKzMbDYbDIaWlhadTvfw4UMqOWPRcEnCxDiWP1wpcJMkSbK9vZ0kSbPZnJ6ebrFYjEZjR0fH6Oiof0FwjzcZaygWi/1vp3CmjSsX7k5gOQUAwCEfq9HRUYTQz58/qVCv169fv57+iCAI/yOpkDrFZDJR+5ubm1Uqlc/ns9lsUVFRLpcreBSTyZSWlkZtOxwOgiBsNhtjKJPJDAZD+JOUSCQOh4PaJkkyMzMTl4eef15eXklJCe666FHa29vpUVgujTYyMpKYmOjz+ebm5giC+PTpE7Vfp9NlZWXhioZLElz8+Pj44P2MYwXkZCwpyySnp6fpCkRERDidTirU6/UbN26ktv1XzX9KLDX0PyzktHHlYr9dw6kwAODPCv0+hiAI+lmHXC632WwhT+HxeCkpKdR2enq6yWRCCAmFwqNHj2ZlZeXm5srlcpVKtXfvXjqtXq+ntt+8eZOZmUk/+fEP7Xa7zWbLyMgIc5I/fvywWCxpaWnUfq/XGxUVxZ7nypUrLS0tjY2NIUuhUCjoUuAu7f379xUVFX19fW632+v1er1ehNC3b9/cbrdSqaTrQ/3zx1g0XJIw4cai4UqBO5EgiLi4OLoCa9eujYmJoUK5XE6/2w9YxHBqOK9pI3y5WG5X3CkAAO4s6d/HPH/+vLGxMSMjw+12azSa0tJSan9kZGRSUhK1HfIXZZGRkWEO53K5IiIiuru7SZIkSdJoNJIkyZLH6XQ2Nze/ePGisrLS/13Lgi+toKAgJyenra2NJMnXr1/PKyHtjyRhF35Jw/QXfwcIAFhWOOkxLpdrfHyc2h4aGlq3bh390c6dO4uKiqqqqp48efLy5cuAEz0ez6tXr+h/ngLCuLg4kUgU/t+NJyUl8fl8m82W/F9UJ8PliYiIaG5uLiwszMzMvHr16jwvOvDSvn//bjabr127tmHDhuTkZPrlk0wmi46O/vz5MxUODAxQ37QYi4ZLIhKJnE7nr1+/qPDLly+MU8KNRcOVIuSJLAJWbQHCGZ3lHsNZwCkAgEVaeI+RSCQul2t4eJgx1Gg0ExMTvb29Wq02Pz8fIdTf33/gwIG3b99ardbx8fEHDx7s2LGDzjY7O4sQ0uv1iYmJ9EOSgBAhVF5eXlxc3NPTMzExUVpaSv30i4VarS4pKent7Z2cnKyrq7t16xZLHh6Pt2XLFoTQ3bt3Gxsbe3p6wiwF46VJpVKRSPTo0SO73T48PKzVaqmDIyMjjx8/Xl5ePj4+TtXnxIkTuKLhkggEApVKpdFovn79Ojw8TL/ZFolELpdrcHCQ+iEWbiyq2iylYJlkSMGrNl/hTJuxXCEt4BQAwKKwv67BvVumaLVaPp//9OlT/7C+vp4giJqaGplMFh8ff/r0aeq1sNvt1mq1mzZtio6OlslkarV6amoqYJRLly5VV1fT+QNCn883NzdXUVEhkUh4PF5BQYHFYmGfpMvlKi8vVygUfD4/Ly+Pfo0cnCcgSVlZWU5Oju9/3/njRsFdWltbm0ql4vF4iYmJGo2GPt7hcBQXF0skEoVCodVq5+bmqOTBRWNJMjIykpubSxDE1q1bGxoa6P2VlZX+i4Ibi72k4ZwYcDPQYcCqBbzzx2UI+Ih9dFy5QuZnrDAAgDurfD7fn21aY2Nj27Ztox/jzMvmzZufPXu2a9cuxvAftpiiLTdLsGoLKNe/VGEAVpDl9Xf+g4ODLCFYEWDVAAC0Zfr/LgMAAPgHQI8BAADAlT//PgYAAACgwPcYAAAAXIEeAwAAgCvQYwAAAHAFegwAAACuQI8BAADAFegxAAAAuAI9BgAAAFegxwAAAOAK9BgAAABcgR4DAACAK/8BqosMP0tDGd0AAAAASUVORK5CYII=)
Research’s Comment:
![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAJwklEQVR4nO3bXUhT7x8A8OMU9+Lmy9yWzplOwqSLLJTQsAKJMhthlC/ULozEIrTWIDEpW1oYlV6UmDeBelFdiXgRXgiBioSWLZvvYk6dr9tqNcca0/0uDv/D+Z+zs3OaOxr1/Vy5s/M8z/f77PvwjOfMII/HgwAAAAAs4Ox0AAAAAP5asMcAAABgC+wxAAAA2AJ7DAAAALbAHgMAAIAtsMcAAABgC+wxAAAA2AJ7DAAAALbQ7zFGozHof4KDg5VKZW1t7cbGBvqWSCQi3BwVFUXbkFXkqLYffh7YcPPmTT6f39DQsD2Z2my2uro6JHBzy7AfNM3W1tatj8gQlinCTiFhheFf539CbQPwezx0ZmdnhUKh0+l0Op0Oh0Ov1x86dKimpgZ7i3BzZGQkbUO2OZ3ObRjFB/w8BJzZbOZwOHq93u12b0+m+A86UCPS9oNPMyAjMkEo6YBPL74w/OicvOIA+MMxPSvjcrlcLpfP56empjY0NLx584bthlvB5XK3YZSdYrfbBQJBampqcHDw9mcaqBFp+8GnGZAR/cDq9P7dVQoAyp/nMTwez+12B6RhYWHhw4cPsZeZmZnowcivX78uX74sEokSEhLu3bu3sbGBnhLU1dVJpdLY2NiXL18iCDI4OHjkyBGRSBQXF3fu3LmxsTHk/88T1tfXr1y5IpVK4+Pj79+/jz/iq6+vVyqVUVFRFy9etNls5GgHBwczMzP5fL5UKs3PzzeZTL4bmkymkydPikSivXv3vnr1itzhxsbG7du3d+3aFRYWlp+fb7FYqIL0MZDFYklMTLTb7UFBQYSzsqWlpdOnT4tEIqVSWV9f7/VMhnBWQ55PQsoIgthsNqoR/Z5eLCqqm/FpoiXhYyx8FvgOw8LCCgsLLRbLrVu3pFJpdHT0pUuX1tfXqT5ffKatra2EqfutjwnPa2EQOvdayVQFg+d1WmjXBW0lkBcgeWgAmPjtPWZtbe3OnTt5eXkBaVhQUNDR0YH+vbS0pNfr0RtqamocDsfw8HBXV1dPT09zczOCIHa7fXx83GAwtLS0ZGVlIQiiUqmKi4vn5ub6+vqysrJ4PB5h0OvXry8uLg4NDXV1dXV2djY1NaHX7Xb78PBwf3//wMDA3NxcVVUVOeChoaHS0tLl5WWDwaBQKMrKynw3LCsrCw8PHx0dffv2rdc95vHjx93d3d3d3ZOTk3K5fHR01EeQVANFR0ePj4+jh5Bnz57F919WVhYaGjo9Pd3d3d3W1kb7iZDn02vKERERVCNuZXrxYZBvxqepVqt9j0XIwm636/X6vr4+vV6/uLiYkpJiNpuHh4ffv38/OzuLBUNOFp8pOihtskwypS0MhKKSqQqGNiradUH+CAhz6HUBAuAP2tO02dlZBEEkEolEIhGLxTwe7+rVq+hRMv4t7Ab88xiqhhiHwxEeHj43N+fxeJqams6cOYNel0gkdrsd/Rt9kIP2ZrVasbZWqzUkJIR8qI2dWbvdbqFQODMzg17v7OzMyMjAAvvx4wd6va+vLykpyfckTE9Px8TE+Gjodrt5PB6aiMfjaW9vJz+PkclkQ0NDhIteg/QdIZYg/nQeDQDrBwuAcIKPPQ8gz6fXlH2P6Pf04jukupn5WPgs0Cvfv3/HOuRwOA6HA33Z39+/Z88eH8niB6UNgEmmVIWB75yqkskFQ/g0vUZFuy6wlz4qgbwAyZMGABMhTPYhgUCg1+sRBOFwODKZDH8+jr2FWlhYyMnJYdIQxefzc3NzOzo6ysvL29vbi4uLEQT59u2b2WxOTExE79nc3AwJCUEQRCgU4n+sFRUVdf78+YyMjOzsbLlcnp6efuzYMXznq6urLpdLqVSiL1NSUtDlhHaFnRsoFAqr1UrO+tOnTxUVFaOjoy6Xa3Nzc3Nz00fD1dVVBEHi4+OxsQi92Ww2q9W6f/9+wnWqIJlESOhnc3MT34/v+xHSfFKl7GPErUwvPgzam32PRchCKBRGRERgHYaHh/P5fPSlXC43m80BTJY2eNrCQCgqmapgaKOiXRdkhDmkWoAA+IFR6XA4nLi4OCZvER63+GiIKSgoaGxsVKvVAwMD7e3tCII4nU4Oh/PhwwessjkcjsvlIrd9/fr1x48fDQbD4uKiVqs9fPjw8+fPmWTERF5eXklJSXNzM4/HI+ydftvBx9dMsJHyH+uPSpZcyQ8ePED8LZgtrguvC9CPMABAGO4xrMrNzS0pKWlrazt+/Dj6lTA2NlYgEFit1oMHD2K3GY1Gr83T0tLS0tLQflQqFX4tyWSy0NDQr1+/ol/0xsfHsa9mtNbW1hYXF+/evYu+xL78UpHJZAiCzM/Po99YJycnCTdERESIxeLPnz+npqYSGvodJKEfDodjNBoTEhLQftDrYrHY4XD8/PkTnduFhQWqHvxIOSCRMxHwsbYtWdrCwJAr2WvBMIzKa28MK8HrAgTAPzv/9YTL5ebk5FRXVxcVFWEX1Wr1tWvXRkZGlpaWnjx5UltbS244NjZ26tSpd+/eWSyW+fn5xsbGAwcO4G8IDg4uKirSaDTz8/MjIyM6ne7ChQsMo5JKpWKx+MWLFzabbWpqSqfT+b4/ODg4JydHq9WaTCZ0LPI9Go2mtLT0y5cvJpOpvLy8t7d3i0ESAlCpVBqNxmg04gMQiUTp6elarXZlZWVqaqqystKPlCUSidPpnJqaIowYkMiZCPhYVMl6zXQrATApDKpKJheMWCx2Op0TExPoD728RkXVG/NKQJgtQAAYoX1i4+Pfvpj8DyaTh0IdHR1CoRB7MOvxeJxOp0ajUSgUAoEgNzd3ZmaG3JvL5dLpdMnJyaGhoTKZTK1WLy8vE8a12+2lpaUSiUShUOh0OvS/+agefhL09PSkp6fzeLyYmBitVhsZGem74cLCwokTJ4RCYXJy8tOnT8l9ut3uiooKiUTC4/Hy8vLMZjNVkL4H8voE3uPxLC8vq1QqoVCYmJj46NEjrMn09HR2drZQKNy3b9+zZ8+8/haAKmXsLZ1OJxAI6uvr8a38nl6qFHzUD5OxaEfHv6RKFs20paWFNgCGheS1MPBtqSrZa8FUVlai4VFFRdWb53cqgbwAyXkBwESQx+PZ6W0OBN7ExMTRo0dXVlZ2OhAAwD9t58/KABv0en1SUtJORwEA+Nft/DN/ECi1tbVyufzMmTMzMzNVVVXV1dU7HREA4F8HZ2V/j97eXo1GYzAYdu/eXVZWduPGjZ2OCADwr4M9BgAAAFvgeQwAAAC2wB4DAACALbDHAAAAYAvsMQAAANgCewwAAAC2wB4DAACALbDHAAAAYAvsMQAAANgCewwAAAC2wB4DAACALf8BZQhTVH246wkAAAAASUVORK5CYII=)
Mirror: Click here to view the mirror
Coordinated Disclosure Timeline
Vulnerability Reported: |
12 September, 2020 04:14 GMT |
Vulnerability Verified: |
15 September, 2020 11:09 GMT |
Website Operator Notified: |
15 September, 2020 11:09 GMT |
a. Using the ISO 29147 guidelines |
![](/images/done.png) |
— |
— |
b. Using publicly available security contacts |
![](/images/done.png) |
c. Using Open Bug Bounty notification framework |
![](/images/done.png) |
d. Using security contacts provided by the researcher |
![](/images/done.png) |
Public Report Published |
|
[without any technical details]: |
15 September, 2020 11:09 GMT |
Vulnerability Fixed: |
17 September, 2020 11:20 GMT |
— |
— |