| عنوان | Indotalent Asp.Net-Core-Inventory-Order-Management-System v9.20250118 Improper Authorization |
|---|
| الوصف | An authorization vulnerability chain in Asp.Net-Core-Inventory-Order-Management-System v9.20250118 and earlier allows a low-privileged authenticated user to enumerate, access, and modify all user accounts, including administrators. The issue arises from an unauthenticated Swagger endpoint that discloses internal API structure and from missing server-side authorization checks on privileged security APIs such as /api/Security/GetUserList, /api/Security/GetMyProfileList, and /api/Security/UpdateUser. By invoking these endpoints with a normal user bearer token, an attacker can obtain sensitive user information and perform arbitrary account modifications, resulting in full administrative compromise of the application. |
|---|
| المصدر | ⚠️ https://github.com/Ghufran2/CVE-Asp.Net-Core-Inventory-Order-Management-System-Advisories/blob/main/Asp.Net-Core-Inventory-Order-Management-System%20IDOR%20to%20Full%20System%20Compromise.md |
|---|
| المستخدم | Ghufran Khan (UID 95493) |
|---|
| ارسال | 14/02/2026 03:12 PM (2 أشهر منذ) |
|---|
| الاعتدال | 26/02/2026 03:39 PM (12 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 347986 [go2ismail Asp.Net-Core-Inventory-Order-Management-System حتى 9.20250118 Security API /api/Security/ تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|