| عنوان | 1000 Projects portfolio-management-system v1.0 Unverified Password Change |
|---|
| الوصف | A high severity IDOR (Insecure Direct Object Reference) vulnerability exists in 1000project `update_passwd_process.php`. The vulnerability allows an attacker to modify the password of any user account by manipulating the `temp_user` session variable, enabling unauthorized password changes without proper authorization checks.
**Key Characteristics:**
- **Attack Vector**: Session variable manipulation
- **Impact**: Unauthorized password modification for any user
- **Authentication**: Requires valid user session (but no additional authorization)
The vulnerability stems from the system using a session variable to identify the user whose password to change, without verifying that the current user has permission to modify that account. |
|---|
| المصدر | ⚠️ https://github.com/9str0IL/CVE/issues/4 |
|---|
| المستخدم | 9str0il (UID 97218) |
|---|
| ارسال | 10/04/2026 05:31 AM (2 أشهر منذ) |
|---|
| الاعتدال | 26/04/2026 09:47 PM (17 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 359743 [1000 Projects Portfolio Management System MCA 1.0 update_passwd_process.php temp_user تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|