| Titel | Bdtask Pharmacy Management System v9.4 Insecure Direct Object Reference (IDOR) |
|---|
| Beschreibung | The application uses a predictable, sequential user ID in the URL to fetch and display user profile data. However, it fails to perform a server-side authorization check to verify if the currently authenticated user has the necessary permissions to view or edit the profile associated with the requested ID. This allows any authenticated user to access the profiles of other users simply by manipulating the ID in the URL.
|
|---|
| Quelle | ⚠️ https://github.com/4m3rr0r/PoCVulDb/blob/main/README15.md |
|---|
| Benutzer | 4m3rr0r (UID 85795) |
|---|
| Einreichung | 14.10.2025 17:07 (vor 7 Monaten) |
|---|
| Moderieren | 26.10.2025 17:30 (12 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 329956 [Bdtask Pharmacy Management System bis 9.4 User Profile /user/edit_user/ erweiterte Rechte] |
|---|
| Punkte | 19 |
|---|