Submit #740735: Bdtask SalesERP -- AI-Powered ERP Software For Small Business Unknown Broken Access Control / Privilege Escalationinfo

TitelBdtask SalesERP -- AI-Powered ERP Software For Small Business Unknown Broken Access Control / Privilege Escalation
BeschreibungBdtask SalesERP is vulnerable to a critical Broken Access Control issue due to missing server-side authorization validation across administrative functionality. The application trusts any valid ci_session cookie without confirming the user’s role or permission level. This allows a standard authenticated user to directly access admin-restricted endpoints (e.g., /add_role, /bank_list, /stock, /purchase_list) and perform privileged operations. Successful exploitation results in full privilege escalation, enabling unauthorized viewing, modification, and deletion of sensitive ERP data, as well as the ability to create or alter roles, manage financial records, and control all administrative modules. This flaw leads to complete compromise of the ERP system.
Quelle⚠️ https://github.com/4m3rr0r/PoCVulDb/issues/11
Benutzer
 4m3rr0r (UID 85795)
Einreichung16.01.2026 11:19 (vor 5 Monaten)
Moderieren29.01.2026 09:44 (13 days later)
StatusAkzeptiert
VulDB Eintrag343359 [Bdtask SalesERP bis 20260116 Administrative Endpoint ci_session erweiterte Rechte]
Punkte20

ZurückÜbersichtWeiter

Want to stay up to date on a daily basis?

Enable the mail alert feature now!