| Titre | SourceCodester Human Resource Management 1.0 Insecure Direct Object Reference |
|---|
| Description | An Insecure Direct Object Reference (IDOR) vulnerability was identified in the Human Resource Management (HRM) application due to improper authorization validation on employee-related endpoints.
The application uses user-controlled identifiers such as `employeeid` and `empid` to access employee records without verifying whether the authenticated user is authorized to access the requested resource.
By manipulating these identifiers, an authenticated attacker can access sensitive information belonging to other employees and administrative accounts, leading to unauthorized disclosure of confidential data.
Affected endpoints include:
* `/detailview.php?employeeid=`
* `/employeeadd.php?empid=`
Successful exploitation allows attackers to:
* Access unauthorized employee records
* Enumerate valid employee identifiers
* View administrative profile information
* Potentially abuse privileged functionality
This issue exists due to missing server-side authorization checks and represents a critical Broken Access Control vulnerability under OWASP Top 10.
|
|---|
| La source | ⚠️ https://r4sh7n.medium.com/insecure-direct-object-reference-idor-vulnerability-in-employee-management-functionality-70df8ac5b1d3?postPublishedType=repub |
|---|
| Utilisateur | r4sh7n (UID 97600) |
|---|
| Soumission | 14/05/2026 16:26 (il y a 25 jours) |
|---|
| Modérer | 02/06/2026 16:01 (19 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 367929 [SourceCodester Human Resource Management 1.0 Employee View Page /detailview.php employeeid élévation de privilèges] |
|---|
| Points | 17 |
|---|