Marking as verified because UB's SAE confirmed that the vulnerability was fixed on Feb 21 2020, 12:14.

On Feb 21, 2020, SAE confirmed that the vulnerability was fixed. From my end it also seems like it is fixed, so I'll be changing its status to verified and will publish it.

This vulnerability seems to be fixed from my end since a couple of days ago. Therefore, I'm marking it as fixed.

On Sep 12, 2019 Google confirmed that the vulnerability was fixed, so I'll publish it now.

Changing its status to "started", because SAE (Servei d'Atenció a l'Estudiant) told me on Jan 16, 2020:

I haven't received any response, so I just sent them an email saying that I'll set this report to be autopublished in a week (which means setting the deadline field to 154 days), given that I verified that the issue was fixed.

Since I reported the vulnerability in August, I only contacted them once again on Sep 2 to confirm whether they received the vulnerability details or not. They didn't reply and so I didn't know whether they actually received it.

CESICAT sent me an email on Sep 13, 2019, 4:54 PM stating the following:

I haven't updated this report for a long time, so this is the timeline of the most important events since CESICAT had access to the vulnerability details until now:

T13 and T14 were considered the same bug by Google in their own issue tracker, so I marked T14 as a duplicate of T13 in my issue tracker.

I emailed an AES-256 encrypted ZIP file with a translation of this report in Catalan on Jun 10, 3:18 AM and I just gave CESICAT the key via another contact method, so I'm setting this vulnerability as reported on Jun 11, 1:00 PM because this is when they first had access to the document.

Prinsen Group seems to have disappeared completely from the map and exactly 1 year has passed since the vulnerability was first known, so I'm disclosing it publicly and marking it as WontFix.

The third party says the vulnerability is fixed and I could verify it too, so I'm publishing the vulnerability.

The third party says the vulnerability is fixed and I could verify it too, so I'm publishing the vulnerability.

I received a repsonse from them on Tue, Mar 12, 6:44 PM:

Just as an observation, this report was sent to pau@ub.edu on Feb 7, 2019, 12:43 AM, 20 days ago.

I've been quite busy for the last week so I haven't been able to update this issue until today.

On Tuesday, December 13, at 10:12 AM, a Jutge.org developer told me that this had been fixed, and I could verify it that same day.

Yesterday at 14:26 someone from CESICAT called me in order to confirm that the issue was solved, as I had noticed the day before, when I updated this report.

CESICAT hasn't replied yet to the message I sent them yesterday, but I have just seen that they the reproduction steps are no longer functional, so they must have fixed it or are actively working on fixing it.