| Title | Engineers Online Portal Web 1.0 Creation of Engineers without to be authorized as an Admin |
|---|
| Description | Dear Janno palacios,
I hope this message finds you well.
I would like to express my gratitude for your valuable time and attention.
My brother and I have successfully identified a medium-level vulnerability, "Creation of Engineers without to be authorized as an Admin", within your Engineers Online Portal Application.
Consequently, I am writing this email to provide you with a comprehensive Proof of Concept, including a video demonstration and relevant screenshots.
Furthermore, I would like to kindly request your consideration in assigning a CVE identifier to this discovery. I have attached a previous example for the same application for your reference.
Link for the previous CVE https://vuldb.com/?id.249182
Thank you once again for your time, and I look forward to your response.
Sincerely,
Ahmed Hassan
------
We were able to log out with the admin user but intercept the request and after that still create Engineers even if the admin User is logged out only by using his request.
Lets see :)
lets log out from the admin user
now lets create an engineer with the name CHANGED without to be logged in by using the request only
User has been created -> lets login with the admin user and we will find the user CHANGED
User has been created successfully :)
Thank you for watching :) |
|---|
| Source | ⚠️ https://mega.nz/file/fckFBASJ#lffaC0xY44ri9Ln-7hrUbUtq2GTiE8roiW8guR7QeVE |
|---|
| User | ahmed8199 (ID 60803) |
|---|
| Submission | 01/06/2024 17:27 (4 months ago) |
|---|
| Moderation | 01/09/2024 15:14 (3 days later) |
|---|
| Status | Accepted |
|---|
| VulDB Entry | 250118 |
|---|