Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:
      a. verified the vulnerability and confirmed its existence;
      b. notified the website operator about its existence.
Affected Website: |
buro247.my |
Open Bug Bounty Program: |
Create your bounty program now. It’s open and free. |
Vulnerable Application: |
Custom Code |
Vulnerability Type: |
IAC (Improper Access Control) / CWE-284 |
CVSSv3 Score: |
6.5 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N] |
Disclosure Standard: |
Coordinated Disclosure based on ISO 29147 guidelines |
Discovered and Reported by: |
howardpotts |
Remediation Guide: |
OWASP Access Control Cheat Sheet |
Export Vulnerability Data: |
Bugzilla Vulnerability Data |
JIRA Vulnerability Data [ Configuration ] |
|
Mantis Vulnerability Data |
|
Splunk Vulnerability Data |
|
XML Vulnerability Data [ XSD ] |
|
Vulnerable URL:
![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAJbUlEQVR4nO3ca0hT7x8A8Mf71Dlda/NuKjokQtcSkVgXQspkyLxQME0tJCVCUDC6iBhIWpLUukBgob2wXvwqk0EiK4aMMcxE1yrdC3NrrTA1Z1OXqOf34qHD/rsc/euO+u///bw633Oe6/cc9rhzzvQiCAIBAAAANPDe6gEAAAD4a8EaAwAAgC6wxgAAAKALrDEAAADoAmsMAAAAusAaAwAAgC7bd41JSEgYHh52FwLPgvQCAOiwTdeY9+/fr6yspKWluQyBZ0F6AQA0WWWNMRgMISEhLg9ZLJampiZ34QZ1d3fn5ua6CzcBxcQ37sePH0VFRRwOJzo6urq6+vfv3/ZHjx8//uDBA3IYXv8pISHB4+OhTu86UrHGKtXV1YGBgR0dHf9V4+voCACwVdb/PWZmZubatWvuwg3a8jWGViUlJQwGQ6fT9fX1abXauro68tDo6Ojg4GBJSQm5h8lk2v5obGxMTU31+Hg8nt5du3ZNTk5Sl5mampLJZBqNpri42INdAwC2Fd+tHoAL37590+v1hw8fdhn+r5ubm1MqlZOTk8HBwQih5uZmqVTa0tKCj8pksrNnzwYGBuKQwWCIRKKAgAAcdnZ2NjY2enY8NKWXHLM7Vqs1KCgIbtAB8Hdb0/eY27dvJyQkcDicU6dOWSwWhJDFYomPj7darV5eXh0dHfZha2trSEhIS0tLeHg4m80uLS1dWFjA7bx9+/bAgQMhISHR0dEFBQWfPn1y2V13d/fRo0f9/Pwcwry8PPKzeHh4OCAgAA8GIVRRUVFbW0tdIDk5mbq680iuX7/uMAuHmzMGg4HNZpP7m5qauFxuZGTkw4cPEUJzc3MVFRVcLjc2Nvbq1avLy8sIoeDg4IWFBbzAIIQWFxf9/f3xtsViefr06fnz58n2w8PDX716RWZvYmJCLBbbjxD3e/PmzYSEhODg4JMnT05NTdXW1nK5XA6Hc/r06bm5OYTQvXv3jh07Rta6cuVKaWmpQ3pxUy5PnMtrgOzduQqZJfvhsdnsoqIiXHdqasr++nGXK4dpemRsAIDNtPoaY7Vah4aG1Gp1f3+/2Wy+ePEiQig0NHRkZATfxikuLrYP8/LyrFZrf3//wMDAwMDA4ODgjRs3cFNisbisrMxoNKpUKpFIxGAwXPbo7kaZWCxWKBR4p1wuX1lZ6enpwaFCocjJyaEuIJFIqKs7T3zgD/tZUCRqZGREp9O1t7eLRCKEUFVVldlsHhwc7Onp6e7uvn//vnOtxsZG8s5YW1ubWCwODw932X57e7tUKiWXXvt+h4aGVCrV0NCQ2WxOSUmZnJzUarUajWZ8fPzy5csIIYlE0tfX9+vXLzKl+fn5DunFTbk8cS6vAeoq9gW0Wi2uazQa8Xg4HI799bOWXNExNgAA7QhK4+PjCKHZ2VkcqtXqxMRE8hCTybQviUNcxWg04v3Pnz9PT08nCGJ6etrX19dmszn3YjQa4+Pj8bbVamUymdPT086h2WwOCgrCLWRkZNTU1EilUtwji8VaXFykLmA0GqmrO0/ceRbOsw4LCyPLk8MmCGJpaYnJZI6NjeGwu7s7MzPTYeINDQ1ZWVlLS0s4TExMHBoaItu0Z7PZwsLCBgcHHfbjfmdmZnCoUqm8vb3n5+dxqFark5KS8HZmZuY///xDTgHnwT69FFOmuAaos+RQV6VSubx+Vs2VB8cGANhMqz+PYTKZ5N2hqKio6enpVaswGIzY2Fi8nZKSYjQaEUJsNruwsDAzM/PIkSNRUVHp6emHDh0im1Wr1Xi7t7c3IyMD34ByCCMjI/l8vlqt3r17t9lsrq+v5/P5y8vLCoUiKyvLz8+PukBsbCx19bXMgjpR5LARQhMTE4uLi+RrYCkpKfhTj/Ty5cvHjx/39/f7+PgghF68eBEfH5+WlmYwGJwb7+rqiouL27t3r8t+Q0ND8XZMTAyLxSIf50RFRZHP3iUSiVwuLygokMvlOTk5+HmJQ7bdTZniGlg1S/Z1Y2JiXF4/q+aKprEBAOi2qc/8nzx58u7dO51OZzaba2pq9u/ff+fOHYSQj49PZGQkLkP9RllOTo5CoRgbGxOLxaGhoQKBoK+vz/5OF3WBVatvmg8fPlRWVvb09HA4HLxHJpPV1NS4K9/e3n7mzJmN9Jifn4/v4Mnl8rKyMrzzL3thDwCw3dDyG0ybzfblyxe8rdfr4+LiyEP79u0rLS29dOnSo0ePurq6HCouLy/L5XLyU88hRH8eyZCfjBKJpKurS6lUkosEdYFVq686ix07dszPz5MPNkwmk7sk8Hg8f3//z58/43BkZCQ+Ph5v//z5UyKRtLa22r9VpVQqy8rKuFyuUCicnZ3lcrlcLhcf+vr1q1KplEql7vpai+TkZB6P9/r1a41Gg+frnF6KE+fOOqo4o8jVlo8NALAh1LfS3D1+IAjCarX6+vrq9XqHEN/lKCwsNJlMOp1OIBA0NDQQBPHx48fs7Ow3b95MTk4ajcby8nKxWEy2jB8P9PX17dmzh9zpEGI8Ho/H4+HyJpOJxWIJBIK1F6A+Sj4ucjcLgiAyMjLKy8u/f/+u1+tFIhH5PMY+UVh5eXlubq7RaNTpdEKhUCaTEQSxtLSUlZVVVVVls4MHg2k0GhaLhbdxO83NzRKJxKFxXIviBDmH9fX1qampZNod0utuyhRdrFqFuq79IZe5sp+mp8YGANhM6/8eExwcXFdXJxAI8LunZPjs2TMmk5meni4UCkUiUWpq6oULFxBCSUlJmZmZlZWV+GGMzWZra2vDTRkMhp07d6K1/fQyKyvr4MGD+HFCdHQ0n893+BZCXYDiKDkMjMlkZmRkOMwCIdTZ2Tk2NpaUlCSRSE6cOEGRolu3bkVERAiFwuzs7Nzc3HPnziGETCaTQqGQyWSMPyIiIvBgsIiICG9vb7yN22lvbyfvbrkc6hrl5+drtdrCwkIcOqfX5Ymjto4qLrnMlf00t3BsAID18/iq5fIv+jXi8/kajcZdCDbIarUyGAzy5TeH9K7jxG3kXNPd0aaNDQBAYXv9zn90dJQiBBvU29srEonIt8ggvQAAum3T/7sMPM5isdy9e5f65h4AAHgWrDH/L3g8XlhYmP1/2wQAALp5EQSx1WMAAADwd4LvMQAAAOgCawwAAAC6wBoDAACALrDGAAAAoAusMQAAAOgCawwAAAC6wBoDAACALrDGAAAAoAusMQAAAOgCawwAAAC6/AtcjhHvTLUa+wAAAABJRU5ErkJggg==)
Research’s Comment:
![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAJ10lEQVR4nO3bbUhTbxsA8OMmus1N3dymzVlOwiQiCyU07AWJMv9DhPKFWmkkFqGypMSkbGmhaAaVmF8C9UP1ScQP4QchMJFQs2W+K+bUzbe5Ws41ZXPPh/P8T4ezne1oO9rTc/0+baf7XPd1Ha/Tvd1Hvex2OwIAAADQgLHTCQAAAPhrwRoDAACALrDGAAAAoAusMQAAAOgCawwAAAC6wBoDAACALrDGAAAAoAusMQAAAOjifo3RaDRe/2IymTKZrLy83GazaTQaHo+3DSlS8Ycko9Fo+Hw+TcFv3rzJZrMbGxu3p1ij0VhRUYG+9siM1INglf7mjNR5vFgCrDG2FpzunzitfQv+39ndmZqa4nK5FovFYrGYzWa1Wn3kyJGysjL0uNvTt43FYtnpFOxTU1OBgYF0RNbr9QwGQ61WW61W+7YUS/j5emRGKkEIlW4POoolxMcaYwvB6b7X6OtbAKjulfn6+vr6+rLZ7Ojo6CdPnrx584bWlW8LfH19dzoFGplMJg6HEx0dzWQykZ0o1iMzUglCqHRH0Hp5/+5GBYBgK89jWCyW1WpFXz99+lQmkwUFBV26dMloNCL/fq+vrq4ODg7m8/lZWVk/f/4kRMjIyHj06BH2Nj4+vrGxcW1t7erVqzweb8+ePffv37fZbFi0iooKkUi0a9euly9fIgjS09Nz7NgxHo8XGhp67ty54eFhwmbC6urqtWvXRCJRWFjYgwcP8KFqampkMhmfz7948SKaMEFPT098fDybzRaJRGlpaVqt1vWJWq32zJkzPB5v3759r169cgxos9nu3LkTHBzs5+eXlpa2vLy82QyXl5fDw8NNJpOXlxdhr2xubu6ff/7h8Xgymaympsbphgx+J4TsehJKNhqNZDM6TZ7KtcUHoVipi7nwJeCj+fn5ZWRkLC8v3759WyQSBQUFXblyZXV11cXPl45iyRqDENyxk8kaBs9p85BFc3pbUelbADxi02vM0tLS3bt3U1NTEQQxmUxqtbqrq6u7u1un0xUXF6NjTCZTd3d3b29vb29vX19fVVUVIUh6enpLSwv6em5uTq1Wp6amlpWVmc3m/v7+tra2jo6O+vp6LNrIyMjAwEBDQ0NCQgKCIHK5PDs7e3p6urOzMyEhgcViEeIXFBTodLq+vr62trbW1ta6ujosVH9/P5rw9PR0SUmJY4F9fX25ubnz8/MDAwNSqTQvL8/1iXl5ef7+/kNDQ2/fvnV6r1ZVVbW3t7e3t4+NjUkkkqGhoc1mGBQUNDIygu5YKhQKfPC8vDwfH5+JiYn29vampibXPzuy6+lYckBAANmMZMlTubaENKhUSjYXoQS0FTs7O9VqtU6ni4qK0uv1/f39Hz58mJqawiezbcW6bQyEpJOdNozblMiikd1WVNIDwAPc7qZNTU0hCCIUCoVCoUAgYLFY169ft1gs6PEfP36gw7q6uiIiIrDx09PT6PHm5ubY2FhCTLPZ7O/vj46pq6tLSUmx2+1CodBkMqED0Kc+WDSDwYCdazAYvL29CZva+A1rq9XK5XInJyfRt62trXFxcVgoLOHOzk40YRcmJiZCQkJcnGi1WlksFr5Yx31tsVjc19eHP7KFDPEFYq/R2bE42OyE7Xv8brvj9XRaMtmMZMlTubaEgFQqdTEXvgT0yPfv37FoDAbDbDajb7u6uvbu3bvNxZI1Bj640062O2sYKu1NFs3pbUWlbwHwCG8q6xCHw1Gr1QiCMBgMsViMbZRzuVzsi79EIjEYDOhrFosVFhaGvo6KipqeniYEZLPZycnJLS0t+fn5zc3N2dnZ37590+v14eHh6ICNjQ1vb29sFvwvvfD5/PPnz8fFxSUmJkokktjY2BMnTuCDLy4urq+vy2QyLAH0PwVCwlKpFEsY79OnT0VFRUNDQ+vr6xsbGxsbGy5OXFxcRBAEXywhmtFoNBgMBw8e9GCG+DgbGxv4OC4GYwjXk6xkF5M6TX5TmVMc72IuQglcLjcgIACL5u/vz2az0bcSiUSv129zsW4bAyHpZKcNQyUlp9HIbisq6QHgEZTWGAaDERoa6tmJ09PTa2trFQpFd3d3c3OzyWRiMBi9vb3Y0sJgkO7jvX79+uPHjwMDAzqdrrCw8OjRo7du3fJUYqmpqTk5OfX19SwWa3Z2Nikp6fdj7uDjayroKPmP9UcV69jJDx8+RLbaMI7RSkpKqN9WANCB0hqzWRaLZWZmBv2UNDY2tnv3bscxycnJOTk5TU1Np06d4vF4PB6Pw+EYDIbDhw9TmSImJiYmJgaNI5fL8WuMWCz28fH5+vUr+llvZGQE+xzn1tLSkk6nu3fvHvoW//nXKbFYjCAIvljCgICAAIFA8Pnz5+joaI9kSJidwWBoNJo9e/agcdDjAoHAbDavrKygn7VnZ2ddBNlCyR5JngqPz7VtxbptDAyhk58/f+7YMNRTcozm9Lainh4Av4muDzWFhYVarXZwcFClUsnlcscBvr6+SUlJpaWlmZmZ6BGFQnHjxo3BwcG5ubnq6ury8nKnkYeHh8+ePfvu3bvl5eWZmZna2tpDhw7hBzCZzMzMTKVSOTMzgyZw4cIFimmLRCKBQPDixQuj0Tg+Pq5SqVyPZzKZSUlJ+GIdxyiVytzc3C9fvmi12vz8/Pfv3/9OhoTZ5XK5UqnUaDT42Xk8XmxsbGFh4cLCwvj4OPa7GJsqWSgUWiyW8fFxx0k9kjwVHp9r24ql0hhknezYMAKBwGKxjI6O2mw2spTIojm9rVykt7a2tunLCoALbp/YkP39F9mDZfR4ZWWlWCwODAy8fPky9vSVoKWlhcvlYv9qsViUSqVUKuVwOMnJyehTTcfZ19fXVSpVZGSkj4+PWCxWKBTz8/OEYSaTKTc3VygUSqVSlUqF/jWfiyfheB0dHbGxsSwWKyQkpLCwMDAw0PWJs7Ozp0+f5nK5kZGRjx8/doxptVqLioqEQiGLxUpNTdXr9VvIkOyh9Pz8vFwu53K54eHhlZWV2PiJiYnExEQul7t///5nz545jeOiZPS4SqXicDgNDQ1uLy+Va0tWgotKqczlOprj2+0p1k7SGPhznXaynaRhiouL0fScpuQimtPbikp6AHiEl91u9+yipdFoDhw4sLKy4tmwwK3R0dHjx48vLCzsdCIAAPBf8ADw76FWqyMiInY6CwAA+IWWZ/5g25SXl0skkpSUlMnJyZKSktLS0p3OCAAAfoHvMf/bTp48WVdXJ5VKFQpFQUFBVlbWTmcEAAC/eP55DAAAAICC7zEAAADoAmsMAAAAusAaAwAAgC6wxgAAAKALrDEAAADoAmsMAAAAusAaAwAAgC6wxgAAAKALrDEAAADoAmsMAAAAuvwHrk+IaL1ydeQAAAAASUVORK5CYII=)
Mirror: Click here to view the mirror
Coordinated Disclosure Timeline
Vulnerability Reported: |
22 September, 2020 14:50 GMT |
Vulnerability Verified: |
24 September, 2020 13:17 GMT |
Website Operator Notified: |
24 September, 2020 13:17 GMT |
a. Using the ISO 29147 guidelines |
|
— |
— |
b. Using publicly available security contacts |
|
c. Using Open Bug Bounty notification framework |
|
d. Using security contacts provided by the researcher |
|
Public Report Published |
|
[without any technical details]: |
24 September, 2020 13:17 GMT |
Vulnerability Fixed: |
24 September, 2020 17:54 GMT |
— |
— |