logo
DATABASE RESOURCES PRICING ABOUT US

visitbuffaloniagara.com Improper Access Control vulnerability OBB-1347390

Description

Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[visitbuffaloniagara.com](<https://www.visitbuffaloniagara.com>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[IAC (Improper Access Control)](<https://www.owasp.org/index.php/Broken_Access_Control>)** / CWE-284 CVSSv3 Score:| 6.5 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **howardpotts ** Remediation Guide:| **[OWASP Access Control Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Access_Control_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAKIUlEQVR4nO3cf0gTbRwA8MvfP7aZmlOnvjgzE5ElJkvBTERE1hiT/AFmaCApoUKSklJSREmKUVH+ZZISBVEiIiEyIkRGqNi0YTrEtrWmmZqzaUN0e/94eI/jvLud5nL6fj9/3XP3PM89z/ee7WHP43nIZrNhAAAAgAO47HUDAAAAHFgwxwAAAHAUmGMAAAA4CswxAAAAHAXmGAAAAI4CcwwAAABHcd45RigUjo2N0SUB2BYYPwDsCSedYz59+mS1Wk+cOEGZBGBbYPwAsFfszDE6nY7L5VJeMplMjY2NdMk/1NPTI5PJ6JJ7giEUlBmIAbFbltKVK1e8vb07OjpIxztrHoM/Kbsv4OOHZU/tRtuuAx9SANiyMdJqtRwOh80lhpw7IBaL+/v76ZJ7xWKxsM9ADMgOgrOwsODi4qJSqTY2NojHdPn/MP52u7avEceP3Z6yibZdu/txAGD/ctvrOY7C7OysRqNJT0+nTO4hT0/PP8zAntls9vHxQcs7xGMH2cWWOxvS+LHb078QbQD+P1jtxzx8+FAoFAYGBl64cMFkMmEYZjKZIiMjzWbzoUOHOjo6iMn79+9zudzm5ubg4GB/f//i4uLfv3+jeoaHh0+fPs3lcsPCws6dO/f582fK2/X09GRlZbm7u5OSOTk5zc3N6OTY2JinpydqDIZhZWVlNTU1zBmOHTvGXJzYhoKCgjt37uDJlJQU1C/8zNa+EJdHSPFBJ+/du0eKCWlFRafT+fv7Yxi2uLiIF3/y5AmpquHh4ZSUFG9v76CgoLy8vG/fvm2N4erqallZWVBQUERExK1btzY3N9G9WlpahEKhv7//+fPn8e4Tm0FX+ezs7NmzZ7lcrlAobGlpQe2ky48qbGxsDAoKCg0Nffr0KZtmb25u1tXVBQcH+/r65uXlLS4usumLr69vQUHB4uJiTU1NUFBQYGDgxYsXV1dXKYcT3lO6aBAjj6K99e7ENqN6KEc7RvXBsVsEgAPG/hxjNptVKpVSqRwaGjIajdeuXcMwzM/Pb3JyksPhWCyWoqIiYjInJ8dsNg8NDY2MjIyMjIyOjjY1NaGqpFJpSUmJXq8fHBxMTU318vKivCPdZoxUKlUoFOhkb2+v1Wrt6+tDSYVCIZFImDPI5XLm4sQ25Ofnd3d3o+PZ2VmVSpWVlUXMwNwXUnxQGEf+Q4wJpcDAQLx4eXk5qarR0dFLly7Nzc2p1erw8PCKioqtNVRVVRmNxtHR0b6+vp6entbWVtSG8fFx9Cj1en19ff3WgnSVV1RUeHh4TE9PKxSKzs5Ou/nNZvPk5KRarX727FlqaiqbZjc1NSkUCoVCodFoBALBxMQEc19UKtXg4KBKpTIajbGxsQsLC+Pj4x8+fNBqtcSu0W3mUUaDGHkUbcq7k+qhHO2UHxzmIgAcQMxLaVqtFsOwlZUVlFQqlVFRUfglyv0YVESv16PzXV1dSUlJNpttaWnJzc2NcjVcr9dHRkaiY7PZzOFwlpaWtiaNRqOPjw+qQSwWV1dXFxYWojvyeLz19XXmDHq9nrk4sUlra2uoiM1ma21tlclkxP5S9oVhg4ouJluLHD58mLI43eL+9PR0SEgIKc/GxgaHw5mZmUHJnp6e5ORk0qMcHByke5RbK9/Y2PDy8sIr7OrqwttJ1xgMw/CHyJCTiM/nj46Okk4y9GV5eRnvi4uLy9raGkoqlcro6Gh0TBpOpFFqNxqUdyc2j+HJMnxwKIsAcCDZ34/hcDj4QopAIFhaWrJbxMvLKyIiAh3Hxsbq9XoMw/z9/XNzc5OTkzMyMgQCQVJS0pkzZ/BqlUolOu7v7xeLxfhSDDEZGhoaExOjVCrj4uKMRmNDQ0NMTMzm5qZCocjMzHR3d2fOEBERwVyc2AVvb2+JRNLd3V1ZWdnV1VVSUkK8ytCXbcVkZz5+/FhbWzsxMbG+vm61Wq1WKynD/Pz8+vq6UCjEb4e+14iPMjw8nPJRUlY+Pz9vtVqJFdptDIfDwR8im2abTKalpSWRSMS+L35+fnhfeDyet7c3SgoEgoWFBXRMGk5EbKJBd3ciuifL8MHZxcEAgJP7q+/HvHz5sq2tTSQSra+vV1dXV1ZWovOurq6hoaHomPmvliUSiUKh6O3tlUqlfn5+CQkJAwMDxJUu5gx2ixOh5bKfP38ODQ1tXWyh68tfIJfL09LSBgYGVCrV27dv97Zy9vnZ5HR1dd1hu2k4w1+9A/B/5pA5xmKxfP36FR1rNJp//vkHv3Ty5Mni4uK6urr29nZ8wwO3ubnZ29uLfymQkth/WzL4F4dcLu/u7n7//j0+STBnsFucSCKRqFSqzs7OzMxMyncdmPvCJiYBAQFra2u/fv1C5w0GA3MlGIb9+PHDaDTeuHHj6NGjYWFhlHtafD7fw8Pjy5cvKDk5ORkZGWm3ZobK+Xy+i4uLTqfDK2TfGJY5/fz8AgICtr6Kv+O+YFTjZ7vY3J1htNPZQREA9ivmpTSGDQOz2ezm5qbRaEhJtJiQm5trMBjUanVCQsLNmzdtNtvExER2dva7d+8WFhb0en1paalUKsVrRnsbAwMD8fHx+ElSEuHz+Xw+H+U3GAw8Hi8hIYF9BuarpC2WwsJCHo/36tUrUigo+0KKFTE+dDGx2Wxisbi0tHRubk6j0aSmprLZj+Hz+a2trcvLyxqNRi6XoyIrKytubm6Tk5PorY7S0lKZTKbX69VqdWJi4qNHj1ju/VBWbrPZcnNz5XK5VqtVq9UikQg/T5mfcoOHMicx4Hfv3hWLxePj4waDoaKiYmBgAJ3fVl+Iya3jh7gfwyYalHdH51HL6Z4sc/10gwGAg2fnv2N8fX2vX7+ekJCA/sQTT75584bD4SQlJSUmJqampopEotraWgzDoqOjk5OTy8vL0QaGxWJpa2tDVel0uiNHjmDsXu/PzMxMS0tDbzmEhYXFxMSQfoUwZ2C4ijcDl5+fb7VapVIpqQ0MfaGLD4fDEYvFpJhgGPbixYuZmZno6Gi5XJ6fn88m8q9fv25vbw8JCUlLS4uKikInuVzu1atXExMTnz9/jmHYgwcPQkJCEhMTs7OzZTLZ5cuX2dRMVzmGYY8fP97Y2IiPj5dKpYWFhXbzs6mZFPDa2tr09PSMjIzo6GiDwRAXF4fO77gvu7JQRnl3YsspRzuzHRQBYJ86ZLPZdrdGnU4XHx+Pr/9sy/Hjxzs7O0+dOkWZBE5iamoqLS3t+/fve90QO/7C+NnBaP+TDwgA+45zvec/NTXFkAROQqVSMf9kcRIwfgDYc841xwCndfv2bYFAIJPJZmZm6uvrGxoa9rpFAIB9wEn/tz9wNunp6a2treHh4UVFRVVVVcXFxXvdIgDAPrD7+zEAAAAAAr9jAAAAOArMMQAAABwF5hgAAACOAnMMAAAAR4E5BgAAgKPAHAMAAMBRYI4BAADgKDDHAAAAcBSYYwAAADgKzDEAAAAc5V9etp5M+2Ay+QAAAABJRU5ErkJggg==) --- Research's Comment: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAJ10lEQVR4nO3bbUhTbxsA8OMmus1N3dymzVlOwiQiCyU07AWJMv9DhPKFWmkkFqGypMSkbGmhaAaVmF8C9UP1ScQP4QchMJFQs2W+K+bUzbe5Ws41ZXPPh/P8T4ezne1oO9rTc/0+baf7XPd1Ha/Tvd1Hvex2OwIAAADQgLHTCQAAAPhrwRoDAACALrDGAAAAoAusMQAAAOgCawwAAAC6wBoDAACALrDGAAAAoAusMQAAAOjifo3RaDRe/2IymTKZrLy83GazaTQaHo+3DSlS8Ycko9Fo+Hw+TcFv3rzJZrMbGxu3p1ij0VhRUYG+9siM1INglf7mjNR5vFgCrDG2FpzunzitfQv+39ndmZqa4nK5FovFYrGYzWa1Wn3kyJGysjL0uNvTt43FYtnpFOxTU1OBgYF0RNbr9QwGQ61WW61W+7YUS/j5emRGKkEIlW4POoolxMcaYwvB6b7X6OtbAKjulfn6+vr6+rLZ7Ojo6CdPnrx584bWlW8LfH19dzoFGplMJg6HEx0dzWQykZ0o1iMzUglCqHRH0Hp5/+5GBYBgK89jWCyW1WpFXz99+lQmkwUFBV26dMloNCL/fq+vrq4ODg7m8/lZWVk/f/4kRMjIyHj06BH2Nj4+vrGxcW1t7erVqzweb8+ePffv37fZbFi0iooKkUi0a9euly9fIgjS09Nz7NgxHo8XGhp67ty54eFhwmbC6urqtWvXRCJRWFjYgwcP8KFqampkMhmfz7948SKaMEFPT098fDybzRaJRGlpaVqt1vWJWq32zJkzPB5v3759r169cgxos9nu3LkTHBzs5+eXlpa2vLy82QyXl5fDw8NNJpOXlxdhr2xubu6ff/7h8Xgymaympsbphgx+J4TsehJKNhqNZDM6TZ7KtcUHoVipi7nwJeCj+fn5ZWRkLC8v3759WyQSBQUFXblyZXV11cXPl45iyRqDENyxk8kaBs9p85BFc3pbUelbADxi02vM0tLS3bt3U1NTEQQxmUxqtbqrq6u7u1un0xUXF6NjTCZTd3d3b29vb29vX19fVVUVIUh6enpLSwv6em5uTq1Wp6amlpWVmc3m/v7+tra2jo6O+vp6LNrIyMjAwEBDQ0NCQgKCIHK5PDs7e3p6urOzMyEhgcViEeIXFBTodLq+vr62trbW1ta6ujosVH9/P5rw9PR0SUmJY4F9fX25ubnz8/MDAwNSqTQvL8/1iXl5ef7+/kNDQ2/fvnV6r1ZVVbW3t7e3t4+NjUkkkqGhoc1mGBQUNDIygu5YKhQKfPC8vDwfH5+JiYn29vampibXPzuy6+lYckBAANmMZMlTubaENKhUSjYXoQS0FTs7O9VqtU6ni4qK0uv1/f39Hz58mJqawiezbcW6bQyEpJOdNozblMiikd1WVNIDwAPc7qZNTU0hCCIUCoVCoUAgYLFY169ft1gs6PEfP36gw7q6uiIiIrDx09PT6PHm5ubY2FhCTLPZ7O/vj46pq6tLSUmx2+1CodBkMqED0Kc+WDSDwYCdazAYvL29CZva+A1rq9XK5XInJyfRt62trXFxcVgoLOHOzk40YRcmJiZCQkJcnGi1WlksFr5Yx31tsVjc19eHP7KFDPEFYq/R2bE42OyE7Xv8brvj9XRaMtmMZMlTubaEgFQqdTEXvgT0yPfv37FoDAbDbDajb7u6uvbu3bvNxZI1Bj640062O2sYKu1NFs3pbUWlbwHwCG8q6xCHw1Gr1QiCMBgMsViMbZRzuVzsi79EIjEYDOhrFosVFhaGvo6KipqeniYEZLPZycnJLS0t+fn5zc3N2dnZ37590+v14eHh6ICNjQ1vb29sFvwvvfD5/PPnz8fFxSUmJkokktjY2BMnTuCDLy4urq+vy2QyLAH0PwVCwlKpFEsY79OnT0VFRUNDQ+vr6xsbGxsbGy5OXFxcRBAEXywhmtFoNBgMBw8e9GCG+DgbGxv4OC4GYwjXk6xkF5M6TX5TmVMc72IuQglcLjcgIACL5u/vz2az0bcSiUSv129zsW4bAyHpZKcNQyUlp9HIbisq6QHgEZTWGAaDERoa6tmJ09PTa2trFQpFd3d3c3OzyWRiMBi9vb3Y0sJgkO7jvX79+uPHjwMDAzqdrrCw8OjRo7du3fJUYqmpqTk5OfX19SwWa3Z2Nikp6fdj7uDjayroKPmP9UcV69jJDx8+RLbaMI7RSkpKqN9WANCB0hqzWRaLZWZmBv2UNDY2tnv3bscxycnJOTk5TU1Np06d4vF4PB6Pw+EYDIbDhw9TmSImJiYmJgaNI5fL8WuMWCz28fH5+vUr+llvZGQE+xzn1tLSkk6nu3fvHvoW//nXKbFYjCAIvljCgICAAIFA8Pnz5+joaI9kSJidwWBoNJo9e/agcdDjAoHAbDavrKygn7VnZ2ddBNlCyR5JngqPz7VtxbptDAyhk58/f+7YMNRTcozm9Lainh4Av4muDzWFhYVarXZwcFClUsnlcscBvr6+SUlJpaWlmZmZ6BGFQnHjxo3BwcG5ubnq6ury8nKnkYeHh8+ePfvu3bvl5eWZmZna2tpDhw7hBzCZzMzMTKVSOTMzgyZw4cIFimmLRCKBQPDixQuj0Tg+Pq5SqVyPZzKZSUlJ+GIdxyiVytzc3C9fvmi12vz8/Pfv3/9OhoTZ5XK5UqnUaDT42Xk8XmxsbGFh4cLCwvj4OPa7GJsqWSgUWiyW8fFxx0k9kjwVHp9r24ql0hhknezYMAKBwGKxjI6O2mw2spTIojm9rVykt7a2tunLCoALbp/YkP39F9mDZfR4ZWWlWCwODAy8fPky9vSVoKWlhcvlYv9qsViUSqVUKuVwOMnJyehTTcfZ19fXVSpVZGSkj4+PWCxWKBTz8/OEYSaTKTc3VygUSqVSlUqF/jWfiyfheB0dHbGxsSwWKyQkpLCwMDAw0PWJs7Ozp0+f5nK5kZGRjx8/doxptVqLioqEQiGLxUpNTdXr9VvIkOyh9Pz8vFwu53K54eHhlZWV2PiJiYnExEQul7t///5nz545jeOiZPS4SqXicDgNDQ1uLy+Va0tWgotKqczlOprj2+0p1k7SGPhznXaynaRhiouL0fScpuQimtPbikp6AHiEl91u9+yipdFoDhw4sLKy4tmwwK3R0dHjx48vLCzsdCIAAPBf8ADw76FWqyMiInY6CwAA+IWWZ/5g25SXl0skkpSUlMnJyZKSktLS0p3OCAAAfoHvMf/bTp48WVdXJ5VKFQpFQUFBVlbWTmcEAAC/eP55DAAAAICC7zEAAADoAmsMAAAAusAaAwAAgC6wxgAAAKALrDEAAADoAmsMAAAAusAaAwAAgC6wxgAAAKALrDEAAADoAmsMAAAAuvwHrk+IaL1ydeQAAAAASUVORK5CYII=) --- **Mirror:** [Click here to view the mirror](<http://1347390.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 18 September, 2020 15:09 GMT ---|--- Vulnerability Verified:| 21 September, 2020 10:23 GMT Website Operator Notified:| 21 September, 2020 10:23 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 21 September, 2020 10:23 GMT Vulnerability Fixed:| 22 September, 2020 11:12 GMT ---|---