science-television.com Improper Access Control vulnerability OBB-1379968

2020-10-0315:42:00

howardpotts

www.openbugbounty.org

JSON

Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:

&nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence;
&nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence.

Affected Website:	science-television.com
Open Bug Bounty Program:	Create your bounty program now. It’s open and free.
Vulnerable Application:	Custom Code
Vulnerability Type:	IAC (Improper Access Control) / CWE-284
CVSSv3 Score:	6.5 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N]
Disclosure Standard:	Coordinated Disclosure based on ISO 29147 guidelines
Discovered and Reported by:	howardpotts
Remediation Guide:	OWASP Access Control Cheat Sheet
Export Vulnerability Data:	Bugzilla Vulnerability Data
JIRA Vulnerability Data [ Configuration ]
Mantis Vulnerability Data
Splunk Vulnerability Data
XML Vulnerability Data [ XSD ]

Vulnerable URL:

![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAIWUlEQVR4nO3cW0gUXxwH8HE1L+usurquuWm5EeVDVJCYRVFERImIUanUlkZgEBgmFepDbUUUikEk0lOkL72JLD2ICEHJEmYyaeYlKF1xjdrd2hptFC//h+E/DDNzZi+65eX7eZrjnvOb8/udg4dm3MIWFhYoAACAEND86wkAAMCqhTMGAABCBWcMAACECs4YAAAIFZwxAAAQKjhjAAAgVJbvGWM2m9+/f09qwoqG1QRYI5bpGdPX1zc/P79z507FJqxoWE2AtcPHGTM6OqrT6RQ/8nq99+/fJzUXyWaz5efnk5r+UJn5X+CzGkFPz+fAf5u4P9RXM4j5+z/k6tWrMTExTU1NAcUP7l4AQFEUtaBqZGSEpml/PlLpGYTs7Oz29nZS008cxy3VfALlsxqLKZfPvP5h4v5QX83gKuNPyi6XS6PRMAwzOzsbaHzB0u5zgFUv4l+fcQomJiaGh4cPHTqk2PRfVFTU0k5smfCZ13JOPOjVVOdPyizLarVaPKMD+Jv8eh/z6NEjs9mclJR07tw5r9dLUZTX683IyGBZNiwsrKmpSdx8+PChTqerq6tLSUnR6/UlJSV//vzh47x9+/bAgQM6nW7Dhg0nT54cGBhQvJ3NZjt69Oi6devkTVKEubm56urqlJSU2NjY06dPu91u8TON6enpixcv6nS6TZs23bp1a25ujvr/oUd9fb3ZbNbr9WfPnuVTU4ymEkdOUhw/B8r7FBUV3bt3T+iwd+/epqYmcV6K1RB3mJycvHTpUnJycnp6+u3bt30mLkYqgjymOGBsbGxRUZHb7b5+/XpycnJSUtKFCxcmJyfli8uPUtwnlNKWE2YuHyKkrJKa2+0WL4piZcQCnZ56f4A1y/cZw7IswzB2u72rq8vpdFZVVVEUFR8fPzg4SNM0x3EWi0XcPHHiBMuyXV1d3d3d3d3dPT09tbW1fKi8vLzS0lKHw9HZ2bl///7o6GjFO6q8jCFFqK2t7ejo6OjoGB4eNplMHz9+FAe8c+fO1NRUb29vW1vbq1evnjx5IqTW29vLp+ZwOGpqatSjkeJISIrj50B5n8LCwtbWVv7TiYkJhmEKCgrEQ3zW88qVK06ns6enp62tzWazNTY2qicuRiqCYkx+k3R2djIM43Q6MzMzXS5Xb2/vmzdvRkZGxPHFq0naJ4pbTn2IuINiaklJSeJFIVVGEiqg6fmcG8BapP4obWRkhKKoX79+8U273b5582bhI8X3MfwQh8PB/7ylpSUrK2thYcHj8URERCg+N3c4HBkZGfw1y7I0TXs8HnlTJYLRaOzp6ZHMXJiewWBgWZa/ZhgmOztbnlpnZ6eQmjyaShxFkuLIB8of68v7TE1NxcXF8ZVsbGzMz88XRyZVQ+gwOztL0/Tnz5/5n9tstpycHPXExRSLoBiTD/jz508hoEajmZqa4pt2u33Lli38tXg1SftEfcuRhoj3Hik1n5WRlDGg6ZH6A6xxvt/H0DQtPHsxmUwej8fnkOjo6PT0dP46MzPT4XBQFKXX60+dOpWTk3P48GGTyZSVlXXw4EEhrN1u56/b29uzs7P1er28SYrg9Xo9Hs+OHTsUJ/Pjxw+Xy5WRkcE35+fnIyIi5KmlpaXxqZGikeIkJycLfb5//x7QBNT7xMTE5Obmtra2lpeXt7S0lJaWioeo1JP37du3mZkZs9nMNzMzM/nfg6TExUhFIMWkaTo+Pl4IGBcXFxMTwzdNJpPL5eKvJYuruE8o1S1HGiLwmZp6ZcQCnZ7PuQGsQX/1nf/z58/fvXv34cMHp9NZWVm5b9++x48fUxQVHh6emprK91H/q2VSBD6I4k05jtNoNN3d3cJvdo3G9xNCeTRSHIZh1EMpDpyZmfEneGFhYUNDg8Vi6erqamlpkURWqcaSIJU0aEH8DToArGgh+Q4mx3FjY2P89fDw8MaNG4WPdu/eXVJSUl1d/fTpU+Flg2Bubu7FixfCryFJkxQhPj4+MTGR9L3x1NRUrVbr8Xg2/E84zxSRopHibBAJegKkPrm5uQzDNDc3HzlyRPFrGSr1NBqNkZGRX7584ZuDg4PCv5N8IhVhMTHlq6myT0iCGCLnZxaB3mtJ5gawygR/xhgMBo7jPn36pNisrKwcHx/v7++3Wq15eXkURQ0MDBw/fvzly5dut3tsbKyhoWHXrl1CtOnpaYqi7Hb7+vXrhYcYkqZKhIqKirKysr6+vvHx8fLy8tevX4unarFYLl++3N/fPzExUVdXd/fuXfXUSNH8jyOphnxgYmIix3FDQ0PCXzQpBo+Kijp27NjNmzeLi4slt1CvJ0VR4eHhxcXFFRUVY2Nj/EKcOXNGPXF+FVSKEERMgWQ1efJ94lMQQyRUshBXIIh7LX5uAKuN+usa+Yv9hIQEoWm1WrVa7bNnz8TN+vp6mqYfPHhgNBoTEhLOnz/Pv/6dmZmxWq1bt26NjIw0Go0Wi+Xr16+Su1y7dq2mpkaIL2mqRJidnb1x44bBYIiOji4oKHC5XOKZcxxXUVGRlpam1Wpzc3P5l70qqcmjqcQhERdHcWBVVZW4eqTgra2tNE0Lr9CFaZOqIc6LZdmysjKDwZCWlma1WvnvHpISl/ycVAR5TPVNIjQlq8mPku8TlWg+h/icif+VCXR6pP4Aa1zYwsLC0h5ao6Oj27dv//37dxBjt23b1tzcvGfPHsUmrGiS1QxinyxmawUq0Hv9zbkBrCDL63v+Q0NDKk1Y0bCaAGvQMv1/lwEAYBXAGQMAAKGy9O9jAAAAePh3DAAAhArOGAAACBWcMQAAECo4YwAAIFRwxgAAQKjgjAEAgFDBGQMAAKGCMwYAAEIFZwwAAIQKzhgAAAiV/wACrYIj3vDl/QAAAABJRU5ErkJggg==)

Research’s Comment:

![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAJ10lEQVR4nO3bbUhTbxsA8OMmus1N3dymzVlOwiQiCyU07AWJMv9DhPKFWmkkFqGypMSkbGmhaAaVmF8C9UP1ScQP4QchMJFQs2W+K+bUzbe5Ws41ZXPPh/P8T4ezne1oO9rTc/0+baf7XPd1Ha/Tvd1Hvex2OwIAAADQgLHTCQAAAPhrwRoDAACALrDGAAAAoAusMQAAAOgCawwAAAC6wBoDAACALrDGAAAAoAusMQAAAOjifo3RaDRe/2IymTKZrLy83GazaTQaHo+3DSlS8Ycko9Fo+Hw+TcFv3rzJZrMbGxu3p1ij0VhRUYG+9siM1INglf7mjNR5vFgCrDG2FpzunzitfQv+39ndmZqa4nK5FovFYrGYzWa1Wn3kyJGysjL0uNvTt43FYtnpFOxTU1OBgYF0RNbr9QwGQ61WW61W+7YUS/j5emRGKkEIlW4POoolxMcaYwvB6b7X6OtbAKjulfn6+vr6+rLZ7Ojo6CdPnrx584bWlW8LfH19dzoFGplMJg6HEx0dzWQykZ0o1iMzUglCqHRH0Hp5/+5GBYBgK89jWCyW1WpFXz99+lQmkwUFBV26dMloNCL/fq+vrq4ODg7m8/lZWVk/f/4kRMjIyHj06BH2Nj4+vrGxcW1t7erVqzweb8+ePffv37fZbFi0iooKkUi0a9euly9fIgjS09Nz7NgxHo8XGhp67ty54eFhwmbC6urqtWvXRCJRWFjYgwcP8KFqampkMhmfz7948SKaMEFPT098fDybzRaJRGlpaVqt1vWJWq32zJkzPB5v3759r169cgxos9nu3LkTHBzs5+eXlpa2vLy82QyXl5fDw8NNJpOXlxdhr2xubu6ff/7h8Xgymaympsbphgx+J4TsehJKNhqNZDM6TZ7KtcUHoVipi7nwJeCj+fn5ZWRkLC8v3759WyQSBQUFXblyZXV11cXPl45iyRqDENyxk8kaBs9p85BFc3pbUelbADxi02vM0tLS3bt3U1NTEQQxmUxqtbqrq6u7u1un0xUXF6NjTCZTd3d3b29vb29vX19fVVUVIUh6enpLSwv6em5uTq1Wp6amlpWVmc3m/v7+tra2jo6O+vp6LNrIyMjAwEBDQ0NCQgKCIHK5PDs7e3p6urOzMyEhgcViEeIXFBTodLq+vr62trbW1ta6ujosVH9/P5rw9PR0SUmJY4F9fX25ubnz8/MDAwNSqTQvL8/1iXl5ef7+/kNDQ2/fvnV6r1ZVVbW3t7e3t4+NjUkkkqGhoc1mGBQUNDIygu5YKhQKfPC8vDwfH5+JiYn29vampibXPzuy6+lYckBAANmMZMlTubaENKhUSjYXoQS0FTs7O9VqtU6ni4qK0uv1/f39Hz58mJqawiezbcW6bQyEpJOdNozblMiikd1WVNIDwAPc7qZNTU0hCCIUCoVCoUAgYLFY169ft1gs6PEfP36gw7q6uiIiIrDx09PT6PHm5ubY2FhCTLPZ7O/vj46pq6tLSUmx2+1CodBkMqED0Kc+WDSDwYCdazAYvL29CZva+A1rq9XK5XInJyfRt62trXFxcVgoLOHOzk40YRcmJiZCQkJcnGi1WlksFr5Yx31tsVjc19eHP7KFDPEFYq/R2bE42OyE7Xv8brvj9XRaMtmMZMlTubaEgFQqdTEXvgT0yPfv37FoDAbDbDajb7u6uvbu3bvNxZI1Bj640062O2sYKu1NFs3pbUWlbwHwCG8q6xCHw1Gr1QiCMBgMsViMbZRzuVzsi79EIjEYDOhrFosVFhaGvo6KipqeniYEZLPZycnJLS0t+fn5zc3N2dnZ37590+v14eHh6ICNjQ1vb29sFvwvvfD5/PPnz8fFxSUmJkokktjY2BMnTuCDLy4urq+vy2QyLAH0PwVCwlKpFEsY79OnT0VFRUNDQ+vr6xsbGxsbGy5OXFxcRBAEXywhmtFoNBgMBw8e9GCG+DgbGxv4OC4GYwjXk6xkF5M6TX5TmVMc72IuQglcLjcgIACL5u/vz2az0bcSiUSv129zsW4bAyHpZKcNQyUlp9HIbisq6QHgEZTWGAaDERoa6tmJ09PTa2trFQpFd3d3c3OzyWRiMBi9vb3Y0sJgkO7jvX79+uPHjwMDAzqdrrCw8OjRo7du3fJUYqmpqTk5OfX19SwWa3Z2Nikp6fdj7uDjayroKPmP9UcV69jJDx8+RLbaMI7RSkpKqN9WANCB0hqzWRaLZWZmBv2UNDY2tnv3bscxycnJOTk5TU1Np06d4vF4PB6Pw+EYDIbDhw9TmSImJiYmJgaNI5fL8WuMWCz28fH5+vUr+llvZGQE+xzn1tLSkk6nu3fvHvoW//nXKbFYjCAIvljCgICAAIFA8Pnz5+joaI9kSJidwWBoNJo9e/agcdDjAoHAbDavrKygn7VnZ2ddBNlCyR5JngqPz7VtxbptDAyhk58/f+7YMNRTcozm9Lainh4Av4muDzWFhYVarXZwcFClUsnlcscBvr6+SUlJpaWlmZmZ6BGFQnHjxo3BwcG5ubnq6ury8nKnkYeHh8+ePfvu3bvl5eWZmZna2tpDhw7hBzCZzMzMTKVSOTMzgyZw4cIFimmLRCKBQPDixQuj0Tg+Pq5SqVyPZzKZSUlJ+GIdxyiVytzc3C9fvmi12vz8/Pfv3/9OhoTZ5XK5UqnUaDT42Xk8XmxsbGFh4cLCwvj4OPa7GJsqWSgUWiyW8fFxx0k9kjwVHp9r24ql0hhknezYMAKBwGKxjI6O2mw2spTIojm9rVykt7a2tunLCoALbp/YkP39F9mDZfR4ZWWlWCwODAy8fPky9vSVoKWlhcvlYv9qsViUSqVUKuVwOMnJyehTTcfZ19fXVSpVZGSkj4+PWCxWKBTz8/OEYSaTKTc3VygUSqVSlUqF/jWfiyfheB0dHbGxsSwWKyQkpLCwMDAw0PWJs7Ozp0+f5nK5kZGRjx8/doxptVqLioqEQiGLxUpNTdXr9VvIkOyh9Pz8vFwu53K54eHhlZWV2PiJiYnExEQul7t///5nz545jeOiZPS4SqXicDgNDQ1uLy+Va0tWgotKqczlOprj2+0p1k7SGPhznXaynaRhiouL0fScpuQimtPbikp6AHiEl91u9+yipdFoDhw4sLKy4tmwwK3R0dHjx48vLCzsdCIAAPBf8ADw76FWqyMiInY6CwAA+IWWZ/5g25SXl0skkpSUlMnJyZKSktLS0p3OCAAAfoHvMf/bTp48WVdXJ5VKFQpFQUFBVlbWTmcEAAC/eP55DAAAAICC7zEAAADoAmsMAAAAusAaAwAAgC6wxgAAAKALrDEAAADoAmsMAAAAusAaAwAAgC6wxgAAAKALrDEAAADoAmsMAAAAuvwHrk+IaL1ydeQAAAAASUVORK5CYII=)

Mirror: Click here to view the mirror

Coordinated Disclosure Timeline

Vulnerability Reported:	3 October, 2020 15:42 GMT
Vulnerability Verified:	5 October, 2020 07:49 GMT
Website Operator Notified:	5 October, 2020 07:49 GMT
a. Using the ISO 29147 guidelines
—	—
b. Using publicly available security contacts
c. Using Open Bug Bounty notification framework
d. Using security contacts provided by the researcher
Public Report Published
[without any technical details]:	5 October, 2020 07:49 GMT
Vulnerability Fixed:	5 October, 2020 15:43 GMT
—	—

JSON