CVE-2025-50693 in Online DJ Booking Management Systeminfo

Summary

by MITRE • 06/24/2025

PHPGurukul Online DJ Booking Management System 2.0 is vulnerable to Insecure Direct Object Reference (IDOR) in odms/request-details.php.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 06/25/2025

The vulnerability identified as CVE-2025-50693 affects the PHPGurukul Online DJ Booking Management System version 2.0 and represents a critical Insecure Direct Object Reference flaw located within the odms/request-details.php file. This type of vulnerability occurs when an application provides direct access to objects based on user-supplied input without proper authorization checks, allowing attackers to manipulate references to access unauthorized data or functionality. The vulnerability specifically impacts the request-details.php endpoint which likely handles booking requests and related information within the DJ management system.

This insecure direct object reference vulnerability stems from inadequate input validation and access control mechanisms within the application's object reference handling. When users access booking details through the request-details.php script, the system fails to verify whether the authenticated user has proper authorization to access the requested object or resource. Attackers can exploit this by manipulating parameters such as request IDs, booking numbers, or user identifiers to gain access to other users' booking information, personal details, or system data that should be restricted. The flaw essentially allows unauthorized data disclosure through direct manipulation of object references.

The operational impact of this vulnerability is significant as it can lead to unauthorized access to sensitive user data including personal information, booking details, payment information, and potentially system administrative functions. An attacker could systematically enumerate through different booking requests to gather comprehensive information about all users within the system, potentially leading to privacy violations, identity theft, or financial fraud. The vulnerability affects the confidentiality aspect of the CIA triad and can result in data breaches that compromise user trust and regulatory compliance. This type of flaw is particularly dangerous in web applications that handle personal information and business-critical data.

Mitigation strategies for this vulnerability should focus on implementing proper access control mechanisms and input validation throughout the application. The system must enforce authorization checks before allowing access to any object references, ensuring that users can only access resources they are authorized to view. This includes implementing role-based access control, proper session management, and validating all input parameters against legitimate user permissions. The application should also implement proper object reference obfuscation or use indirect references to prevent direct manipulation of object identifiers. Additionally, input validation should be strengthened to reject any suspicious parameter values that could indicate attempt to access unauthorized resources. Organizations should also consider implementing logging and monitoring mechanisms to detect unauthorized access attempts and maintain compliance with security standards such as those outlined in the CWE database under category 284 for improper access control. This vulnerability aligns with ATT&CK technique T1078 for valid accounts and T1566 for credential harvesting, making it a critical concern for organizations implementing security controls and threat detection measures.

Responsible

MITRE

Reservation

06/16/2025

Disclosure

06/24/2025

Moderation

accepted

CPE

ready

EPSS

0.00283

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!