logo
DATABASE RESOURCES PRICING ABOUT US

findit.batleynews.co.uk Improper Access Control vulnerability OBB-1347662

Description

Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[findit.batleynews.co.uk](<https://findit.batleynews.co.uk>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[IAC (Improper Access Control)](<https://www.owasp.org/index.php/Broken_Access_Control>)** / CWE-284 CVSSv3 Score:| 6.5 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **howardpotts ** Remediation Guide:| **[OWASP Access Control Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Access_Control_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAJ5UlEQVR4nO3cXUgU3RsA8ElN123Xb8fv0iINEZOSzUIrJFSWRdavLsxSSDRCpKTEjzLzokwzyEq8iMguqosQkSVEtohNJMxMzcwWMd3WTUy31lbbRHf+F+d9D/OfnZldzX2zen5Xc2bPnHnOeQYfdk7bBoqiCAAAAMAOHH51AAAAAP5YUGMAAADYC9QYAAAA9gI1BgAAgL1AjQEAAGAvUGMAAADYy/qtMWFhYQMDA1xN8FuDbALwl1inNebNmzdms3nnzp2sTfBbg2wC8PewUmMmJibEYjHrRwaD4fLly1zNn9Te3p6amsraPH36tKura0tLC09sXCYmJjw9PYn/nxdX5Csdnz7OKmL7Y1idO8qm7UuEM26/kAAA9kLxGh8fF4lEtnzE03MVJBJJZ2enZXNmZsbBwaG/v39paYmiKJPJtKJhx8fHPTw80DG+livylc6I3n9tV+P3YnXuOJu2pI+RcTuFBACwE6dfXeNYfPr0Sa1WHzx40LJpNBqFQiF+zeLi4rLqu/zMtWDV6Nm0JQWMjAMAfi827cdcv349LCzM29v76NGjBoOBIAiDwRAaGmo0Gjds2NDS0kJvXrt2TSwW19fX+/n5eXp65ubmfv/+HY3z8uXLhIQEsVgcFBSUkZHx7t071tu1t7cnJSVt3LiR0ZydnaXfFL8AQQcNDQ1hYWGenp5HjhxBQSKTk5PJyclisTgiIuL+/fvoJL6WMRHLYK5cucI6kb1797q6uvr6+mZlZU1OTvKP8+PHj+PHj4vF4i1btly4cGF5eZkgiFu3biUnJ+M+lZWVubm5PHNhHSQtLa2+vh51GBgYcHFxwf0LCwvPnj1rdc2Xl5fLy8v9/Pw2bdqUlZU1OzuLzs/PzxcWFvr6+oaEhFy8eBHdDmO8fcIvIRnevn3r7e39/Plzy+Takj5GxvlDwkOxPnsE22PM3x8A8POs1xij0djf39/d3d3T06PT6crKygiCcHd3HxkZEYlEJpMpJyeH3kxLSzMajT09Pb29vb29vX19fXV1dWgomUyWl5en0Wi6urri4+MFAgHrHbk2Y7y9vek3ZQQ5ODiIgtRoNBUVFfijoqIiNze34eHhx48f4xqDMSZiOffef9En0tfXV1BQMDU1NTQ0FBwcXFRUxD9OTU3NwsLC4OBgR0eHSqVqbm4mCEIul6tUqm/fvuFppqen88yFdRCZTKZUKlEHhUJhNps7OjpQU6lUSqVSq2teV1enVCqVSqVarQ4MDBweHkbni4uLdTpdX19fR0dHe3t7U1MTa7J4GAyG9PT02trahIQEfJKRXLzOrFNmZNyWkLiePdbHmKc/AGBt8L9KGx8fJwhibm4ONbu7u7du3Yo/Yt2PQZdoNBp0vrW1NTY2lqIovV7v5OTE+gpeo9GEhoaiY6PRKBKJ9Ho9a5N1z4MRZFdXFw5yaWlJIBDQg0H7MbbsnXBNhGF0dNTf359/TB8fH6PRiI77+/slEgk6jouLe/ToEe5vMpl45sI6iE6nEwqFaFUlEklJSUl2djYa0M3NbXp6mmvNMZIk+/r6GCeXlpZEItHY2Bhqtre3x8XFMRaHkX280YU/kkqlJ0+epF9Fz6Yt6aN3sxoSxZ0yrsfYxhQDAFbN+n6MSCTCb0UCAwP1er3VSwQCQUhICDresWOHRqMhCMLT0zMzMzMuLi4xMTEwMDA2NvbAgQN42O7ubnTc2dkpkUjwixdG05Ygg4ODcZDT09MEQdCDsRq81YkQBPH69evS0tLh4eHFxUWz2Ww2m3kG+fLly8zMTGhoKGqazWYnp3+WXS6XKxSKjIwMhUIhlUrR/gTrXLgGCQgICA8P7+7ujoyM1Ol0VVVV4eHhy8vLSqXy0KFDvr6+XGuOGAwGvV4fHR3NiHl6enpxcTEsLAzPHf05tl1lZWVHR8ft27fpJ7myyZW+VYTElTKux5irPwBgTfyne/4PHjx49erV0NCQTqcrKSnZt2/fjRs3CIJwdHQMCAhAfXj+1fL6IZfL8/Pzm5ubBQKBVqtNSUnh6WwymRwcHHp7e3FpcXD45xVlenp6fHw8QRAKhSIvL291g0ilUqVSOTY2JpPJ3N3dY2JiVCoVelFGcK85naOj40pXgN/CwkJra+vDhw+LiorS09Pd3d3R+fWZTQCA/djlN5gmk+njx4/oWK1Wb968GX+0e/fu3Nzc8vLyO3futLW1MS5cXl5WKBT4zxCjuQokSRIEQQ9mRZezTuTz5886ne78+fPbtm0LCgri2lXCAgIChEKhXq8P+hcuqNu3bydJ8smTJy9evEAlYRWDoC0Z/OdbLpe3tbU9e/YMD8iz5u7u7l5eXpY/uSdJ0tnZ+cOHD6g5MjKCv0IhXl5eCwsLeDNJq9XSP3VwcGhtbc3KypJIJOfOnUMnfzKbVkNCeJ49VivtDwBYGf5XaTyv3Y1Go5OTk1qtZjTRG4zMzEytVjs0NBQTE1NdXU1R1PDwcEpKytOnT2dmZjQaTX5+vkwmwyOjPQOVShUVFYVPMpoU934MV5AURcnlcnowlvsxjInQfzfDOhGKokiSbGpq+vr1q1qtlsvlaEz6OHNzc05OTiMjI+hXHSdOnIiLi0NfJurq6mpqanB4VVVV0dHReCl45sIzCEmSJEmiyLVarZubW0xMDP+a42leunRJIpEMDg5qtdqioiKVSoXO5+fnp6amajSaoaGhXbt2NTY2Mi6USCT5+flTU1NqtTo+Pt5yP4aiqJGREYFAMDg4aJlNG9NH/9RqSFwp47oFT4oBAGti9TWGoqjq6mqhUHj37l16s6GhQSQS1dbWkiTp4eFx7NixhYUFiqIWFxerq6vDw8OdnZ1JkszJyZmammLc5cyZMxUVFXh8RpNaVY3RarVJSUkikSg8PPzq1auWNYY+Ecvx6+rqGBOhKEqlUsXGxgoEAn9//5KSEnw7+oKUlZXhY5PJdOrUqeDgYKFQKJVK8cY1RVH9/f0EQeA15JkLzyDZ2dmZmZm4GRsbi9aNa83pd1laWiotLfXx8REIBHK5fGZmBp03Go0FBQU+Pj7BwcHV1dWoWNIvHB0dTUxMFIlEkZGRjY2NrDWGoqji4uL9+/dbZnMVNcZqSOjY8tnjqTGs/QEAa2UDRVFr+8VoYmIiKioKv0VZkYiIiHv37u3Zs4e1+Uean5/38fHR6XRW/13D7+4/yOZKn72feVYBALZYX7/zf//+PU/zj9TZ2RkfH//HFxji78gmAIBhnf6/y38Jg8Fw8+bNw4cP/+pAAADALqDG/Ep4G+BXBwIAAHax9vsxAAAAAALfYwAAANgL1BgAAAD2AjUGAACAvUCNAQAAYC9QYwAAANgL1BgAAAD2AjUGAACAvUCNAQAAYC9QYwAAANgL1BgAAAD28j+gbLibLVqmYAAAAABJRU5ErkJggg==) --- Research's Comment: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAJ10lEQVR4nO3bbUhTbxsA8OMmus1N3dymzVlOwiQiCyU07AWJMv9DhPKFWmkkFqGypMSkbGmhaAaVmF8C9UP1ScQP4QchMJFQs2W+K+bUzbe5Ws41ZXPPh/P8T4ezne1oO9rTc/0+baf7XPd1Ha/Tvd1Hvex2OwIAAADQgLHTCQAAAPhrwRoDAACALrDGAAAAoAusMQAAAOgCawwAAAC6wBoDAACALrDGAAAAoAusMQAAAOjifo3RaDRe/2IymTKZrLy83GazaTQaHo+3DSlS8Ycko9Fo+Hw+TcFv3rzJZrMbGxu3p1ij0VhRUYG+9siM1INglf7mjNR5vFgCrDG2FpzunzitfQv+39ndmZqa4nK5FovFYrGYzWa1Wn3kyJGysjL0uNvTt43FYtnpFOxTU1OBgYF0RNbr9QwGQ61WW61W+7YUS/j5emRGKkEIlW4POoolxMcaYwvB6b7X6OtbAKjulfn6+vr6+rLZ7Ojo6CdPnrx584bWlW8LfH19dzoFGplMJg6HEx0dzWQykZ0o1iMzUglCqHRH0Hp5/+5GBYBgK89jWCyW1WpFXz99+lQmkwUFBV26dMloNCL/fq+vrq4ODg7m8/lZWVk/f/4kRMjIyHj06BH2Nj4+vrGxcW1t7erVqzweb8+ePffv37fZbFi0iooKkUi0a9euly9fIgjS09Nz7NgxHo8XGhp67ty54eFhwmbC6urqtWvXRCJRWFjYgwcP8KFqampkMhmfz7948SKaMEFPT098fDybzRaJRGlpaVqt1vWJWq32zJkzPB5v3759r169cgxos9nu3LkTHBzs5+eXlpa2vLy82QyXl5fDw8NNJpOXlxdhr2xubu6ff/7h8Xgymaympsbphgx+J4TsehJKNhqNZDM6TZ7KtcUHoVipi7nwJeCj+fn5ZWRkLC8v3759WyQSBQUFXblyZXV11cXPl45iyRqDENyxk8kaBs9p85BFc3pbUelbADxi02vM0tLS3bt3U1NTEQQxmUxqtbqrq6u7u1un0xUXF6NjTCZTd3d3b29vb29vX19fVVUVIUh6enpLSwv6em5uTq1Wp6amlpWVmc3m/v7+tra2jo6O+vp6LNrIyMjAwEBDQ0NCQgKCIHK5PDs7e3p6urOzMyEhgcViEeIXFBTodLq+vr62trbW1ta6ujosVH9/P5rw9PR0SUmJY4F9fX25ubnz8/MDAwNSqTQvL8/1iXl5ef7+/kNDQ2/fvnV6r1ZVVbW3t7e3t4+NjUkkkqGhoc1mGBQUNDIygu5YKhQKfPC8vDwfH5+JiYn29vampibXPzuy6+lYckBAANmMZMlTubaENKhUSjYXoQS0FTs7O9VqtU6ni4qK0uv1/f39Hz58mJqawiezbcW6bQyEpJOdNozblMiikd1WVNIDwAPc7qZNTU0hCCIUCoVCoUAgYLFY169ft1gs6PEfP36gw7q6uiIiIrDx09PT6PHm5ubY2FhCTLPZ7O/vj46pq6tLSUmx2+1CodBkMqED0Kc+WDSDwYCdazAYvL29CZva+A1rq9XK5XInJyfRt62trXFxcVgoLOHOzk40YRcmJiZCQkJcnGi1WlksFr5Yx31tsVjc19eHP7KFDPEFYq/R2bE42OyE7Xv8brvj9XRaMtmMZMlTubaEgFQqdTEXvgT0yPfv37FoDAbDbDajb7u6uvbu3bvNxZI1Bj640062O2sYKu1NFs3pbUWlbwHwCG8q6xCHw1Gr1QiCMBgMsViMbZRzuVzsi79EIjEYDOhrFosVFhaGvo6KipqeniYEZLPZycnJLS0t+fn5zc3N2dnZ37590+v14eHh6ICNjQ1vb29sFvwvvfD5/PPnz8fFxSUmJkokktjY2BMnTuCDLy4urq+vy2QyLAH0PwVCwlKpFEsY79OnT0VFRUNDQ+vr6xsbGxsbGy5OXFxcRBAEXywhmtFoNBgMBw8e9GCG+DgbGxv4OC4GYwjXk6xkF5M6TX5TmVMc72IuQglcLjcgIACL5u/vz2az0bcSiUSv129zsW4bAyHpZKcNQyUlp9HIbisq6QHgEZTWGAaDERoa6tmJ09PTa2trFQpFd3d3c3OzyWRiMBi9vb3Y0sJgkO7jvX79+uPHjwMDAzqdrrCw8OjRo7du3fJUYqmpqTk5OfX19SwWa3Z2Nikp6fdj7uDjayroKPmP9UcV69jJDx8+RLbaMI7RSkpKqN9WANCB0hqzWRaLZWZmBv2UNDY2tnv3bscxycnJOTk5TU1Np06d4vF4PB6Pw+EYDIbDhw9TmSImJiYmJgaNI5fL8WuMWCz28fH5+vUr+llvZGQE+xzn1tLSkk6nu3fvHvoW//nXKbFYjCAIvljCgICAAIFA8Pnz5+joaI9kSJidwWBoNJo9e/agcdDjAoHAbDavrKygn7VnZ2ddBNlCyR5JngqPz7VtxbptDAyhk58/f+7YMNRTcozm9Lainh4Av4muDzWFhYVarXZwcFClUsnlcscBvr6+SUlJpaWlmZmZ6BGFQnHjxo3BwcG5ubnq6ury8nKnkYeHh8+ePfvu3bvl5eWZmZna2tpDhw7hBzCZzMzMTKVSOTMzgyZw4cIFimmLRCKBQPDixQuj0Tg+Pq5SqVyPZzKZSUlJ+GIdxyiVytzc3C9fvmi12vz8/Pfv3/9OhoTZ5XK5UqnUaDT42Xk8XmxsbGFh4cLCwvj4OPa7GJsqWSgUWiyW8fFxx0k9kjwVHp9r24ql0hhknezYMAKBwGKxjI6O2mw2spTIojm9rVykt7a2tunLCoALbp/YkP39F9mDZfR4ZWWlWCwODAy8fPky9vSVoKWlhcvlYv9qsViUSqVUKuVwOMnJyehTTcfZ19fXVSpVZGSkj4+PWCxWKBTz8/OEYSaTKTc3VygUSqVSlUqF/jWfiyfheB0dHbGxsSwWKyQkpLCwMDAw0PWJs7Ozp0+f5nK5kZGRjx8/doxptVqLioqEQiGLxUpNTdXr9VvIkOyh9Pz8vFwu53K54eHhlZWV2PiJiYnExEQul7t///5nz545jeOiZPS4SqXicDgNDQ1uLy+Va0tWgotKqczlOprj2+0p1k7SGPhznXaynaRhiouL0fScpuQimtPbikp6AHiEl91u9+yipdFoDhw4sLKy4tmwwK3R0dHjx48vLCzsdCIAAPBf8ADw76FWqyMiInY6CwAA+IWWZ/5g25SXl0skkpSUlMnJyZKSktLS0p3OCAAAfoHvMf/bTp48WVdXJ5VKFQpFQUFBVlbWTmcEAAC/eP55DAAAAICC7zEAAADoAmsMAAAAusAaAwAAgC6wxgAAAKALrDEAAADoAmsMAAAAusAaAwAAgC6wxgAAAKALrDEAAADoAmsMAAAAuvwHrk+IaL1ydeQAAAAASUVORK5CYII=) --- **Mirror:** [Click here to view the mirror](<http://1347662.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 18 September, 2020 17:36 GMT ---|--- Vulnerability Verified:| 21 September, 2020 10:16 GMT Website Operator Notified:| 21 September, 2020 10:16 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 21 September, 2020 10:16 GMT Vulnerability Fixed:| 22 September, 2020 10:55 GMT ---|---