Page MenuHomeVulnz

All SAE support emails are visible to the public



"Servei de l'Atenció a l'Estudiantat", a service of the Universitat de Barcelona, has a system which manages all the messages sent to them in the form of issues. Unfortunately, all the issues (including internal comments that UB employees have written in order to deal with the issues and that should not be visible even to the person who has contacted them) are visible to the public.

This is because a page which is used to display Frequently Asked Questions (FAQs) such as this one, can also be used to access any of the previously mentioned issues by changing the id in the URL.

Reproduction steps

  1. Open{issue}&lg=cat, where {issue} is the ID for the issue you want to view (it doesn't matter whether you are logged in).

As an example, you can open, which is the message in which I sent a previous vulnerability report.

Screenshot 2019-03-18 at 00.10.16.png (1×1 px, 234 KB)

Severity of the vulnerability

This vulnerability allows access to all messages, which include personal information such as national identification numbers and the birthdays linked to the names of each person that has filled in the contact form, apart from the potential personal information or queries included in the message body and the internal comments made by UB employees. Because of this, I consider this vulnerability to be quite severe.

What should be done?

There may be different approaches to fix this vulnerability, but in any case, that page should only load FAQ content, not private messages sent to the SAE.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.


Universitat de Barcelona
Mar 18 2019, 12:47 AM

Event Timeline

avm99963 triaged this task as Priority-1 priority.Mar 18 2019, 12:18 AM
avm99963 created this task.
avm99963 set Reported to Mar 18 2019, 12:47 AM.Mar 18 2019, 12:52 AM

The third party says the vulnerability is fixed and I could verify it too, so I'm publishing the vulnerability.

avm99963 changed the visibility from "Restricted Project (Project)" to "Public (No Login Required)".Mar 19 2019, 6:26 PM