alwaysdata All Projects: Tasklist

	ID	Status	Summary	Opened by
	~~303~~	Closed	~~A publicly accessible administrative panel appears to e~~ ...	DNUZZ31	Task Description Dear alwaysdata Security Team, I hope this message finds you well. I am writing to submit a vulnerability report through your Bug Bounty program as outlined in your policy at https://www.alwaysdata.com/en/technical-specifications/bug-bounty/. Vulnerability Summary I have discovered a critical security misconfiguration involving a customer site hosted on your platform. An admin panel with default login credentials is publicly exposed, allowing unauthorized administrative access to the CMS installation. Affected Assets Domain: https://boidcms.alwaysdata.net Admin Panel: https://boidcms.alwaysdata.net/admin IP Address: http://1.92.94.174 (also hosts the same CMS) Service: boidCMS installation on alwaysdata infrastructure Discovery Details Date of Discovery: March 13, 2026 Steps to Reproduce Navigate to http://1.92.94.174/admin Observe the login page which explicitly displays credentials: text Login Credentials: Username: admin, Password: password Enter the provided credentials (admin/password) Observe successful authentication and redirect to https://boidcms.alwaysdata.net/admin Full administrative dashboard becomes accessible with permissions to: Create/Update/Delete content Manage media files Install/modify plugins and themes Access system settings Proof of Concept I have attached screenshots documenting: Screenshot 1: The login page at http://1.92.94.174/admin showing exposed credentials Screenshot 2: Successful login redirect to boidcms.alwaysdata.net/admin Screenshot 3: The admin dashboard confirming full access Security Impact An attacker exploiting this vulnerability could: Gain complete control over the website Deface or modify site content Upload malicious files through media management Install backdoor plugins for persistent access Potentially leverage this access to probe other alwaysdata services Use the domain for phishing or malware distribution CVSS Assessment Based on your scoring guidelines, I believe this qualifies as: CVSS Score: 9.1 (Critical) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Category: Access Control Issues / Broken Authentication Please let me know if you need any additional information, clarification, or if you would like me to test a fix once deployed. I am happy to assist in any way to ensure this issue is properly addressed. Thank you for maintaining a bug bounty program and for your commitment to platform security. Best regards,

~~303~~

Closed

~~A publicly accessible administrative panel appears to e~~ ...

Task Description

Dear alwaysdata Security Team,

I hope this message finds you well. I am writing to submit a vulnerability report through your Bug Bounty program as outlined in your policy at https://www.alwaysdata.com/en/technical-specifications/bug-bounty/.

Vulnerability Summary
I have discovered a critical security misconfiguration involving a customer site hosted on your platform. An admin panel with default login credentials is publicly exposed, allowing unauthorized administrative access to the CMS installation.

Affected Assets
Domain: https://boidcms.alwaysdata.net

Admin Panel: https://boidcms.alwaysdata.net/admin

IP Address: http://1.92.94.174 (also hosts the same CMS)

Service: boidCMS installation on alwaysdata infrastructure

Discovery Details
Date of Discovery: March 13, 2026
Steps to Reproduce
Navigate to http://1.92.94.174/admin

Observe the login page which explicitly displays credentials:

text
Login Credentials:
Username: admin, Password: password
Enter the provided credentials (admin/password)

Observe successful authentication and redirect to https://boidcms.alwaysdata.net/admin

Full administrative dashboard becomes accessible with permissions to:

Create/Update/Delete content

Manage media files

Install/modify plugins and themes

Access system settings

Proof of Concept
I have attached screenshots documenting:

Screenshot 1: The login page at http://1.92.94.174/admin showing exposed credentials

Screenshot 2: Successful login redirect to boidcms.alwaysdata.net/admin

Screenshot 3: The admin dashboard confirming full access

Security Impact
An attacker exploiting this vulnerability could:

Gain complete control over the website

Deface or modify site content

Upload malicious files through media management

Install backdoor plugins for persistent access

Potentially leverage this access to probe other alwaysdata services

Use the domain for phishing or malware distribution

CVSS Assessment
Based on your scoring guidelines, I believe this qualifies as:

CVSS Score: 9.1 (Critical)

Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Category: Access Control Issues / Broken Authentication

Please let me know if you need any additional information, clarification, or if you would like me to test a fix once deployed. I am happy to assist in any way to ensure this issue is properly addressed.

Thank you for maintaining a bug bounty program and for your commitment to platform security.

Best regards,

Showing tasks 1 - 1 of 1 Page 1 of 1

All Projects

Available keyboard shortcuts

Tasklist

Task Details

Task Editing