- Status Closed
-
Assigned To
cbay - Private
Opened by DNUZZ31 - 13.03.2026
Last edited by cbay - 16.03.2026
FS#303 - A publicly accessible administrative panel appears to expose default login credentials on the login
Dear alwaysdata Security Team,
I hope this message finds you well. I am writing to submit a vulnerability report through your Bug Bounty program as outlined in your policy at https://www.alwaysdata.com/en/technical-specifications/bug-bounty/.
Vulnerability Summary
I have discovered a critical security misconfiguration involving a customer site hosted on your platform. An admin panel with default login credentials is publicly exposed, allowing unauthorized administrative access to the CMS installation.
Affected Assets
Domain: https://boidcms.alwaysdata.net
Admin Panel: https://boidcms.alwaysdata.net/admin
IP Address: http://1.92.94.174 (also hosts the same CMS)
Service: boidCMS installation on alwaysdata infrastructure
Discovery Details
Date of Discovery: March 13, 2026
Steps to Reproduce
Navigate to http://1.92.94.174/admin
Observe the login page which explicitly displays credentials:
text
Login Credentials:
Username: admin, Password: password
Enter the provided credentials (admin/password)
Observe successful authentication and redirect to https://boidcms.alwaysdata.net/admin
Full administrative dashboard becomes accessible with permissions to:
Create/Update/Delete content
Manage media files
Install/modify plugins and themes
Access system settings
Proof of Concept
I have attached screenshots documenting:
Screenshot 1: The login page at http://1.92.94.174/admin showing exposed credentials
Screenshot 2: Successful login redirect to boidcms.alwaysdata.net/admin
Screenshot 3: The admin dashboard confirming full access
Security Impact
An attacker exploiting this vulnerability could:
Gain complete control over the website
Deface or modify site content
Upload malicious files through media management
Install backdoor plugins for persistent access
Potentially leverage this access to probe other alwaysdata services
Use the domain for phishing or malware distribution
CVSS Assessment
Based on your scoring guidelines, I believe this qualifies as:
CVSS Score: 9.1 (Critical)
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Category: Access Control Issues / Broken Authentication
Please let me know if you need any additional information, clarification, or if you would like me to test a fix once deployed. I am happy to assist in any way to ensure this issue is properly addressed.
Thank you for maintaining a bug bounty program and for your commitment to platform security.
Best regards,
b.png
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
That URL belongs to a client, not to us.
Kind regards,
Cyril