| Título | Bdtask Pharmacy Management System v9.4 Insecure Direct Object Reference (IDOR) |
|---|
| Descripción | The application uses a predictable, sequential user ID in the URL to fetch and display user profile data. However, it fails to perform a server-side authorization check to verify if the currently authenticated user has the necessary permissions to view or edit the profile associated with the requested ID. This allows any authenticated user to access the profiles of other users simply by manipulating the ID in the URL.
|
|---|
| Fuente | ⚠️ https://github.com/4m3rr0r/PoCVulDb/blob/main/README15.md |
|---|
| Usuario | 4m3rr0r (UID 85795) |
|---|
| Sumisión | 2025-10-14 17:07 (hace 7 meses) |
|---|
| Moderación | 2025-10-26 17:30 (12 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 329956 [Bdtask Pharmacy Management System hasta 9.4 User Profile /user/edit_user/ escalada de privilegios] |
|---|
| Puntos | 19 |
|---|