| शीर्षक | SourceCodester Human Resource Management 1.0 Insecure Direct Object Reference |
|---|
| विवरण | An Insecure Direct Object Reference (IDOR) vulnerability was identified in the Human Resource Management (HRM) application due to improper authorization validation on employee-related endpoints.
The application uses user-controlled identifiers such as `employeeid` and `empid` to access employee records without verifying whether the authenticated user is authorized to access the requested resource.
By manipulating these identifiers, an authenticated attacker can access sensitive information belonging to other employees and administrative accounts, leading to unauthorized disclosure of confidential data.
Affected endpoints include:
* `/detailview.php?employeeid=`
* `/employeeadd.php?empid=`
Successful exploitation allows attackers to:
* Access unauthorized employee records
* Enumerate valid employee identifiers
* View administrative profile information
* Potentially abuse privileged functionality
This issue exists due to missing server-side authorization checks and represents a critical Broken Access Control vulnerability under OWASP Top 10.
|
|---|
| स्रोत | ⚠️ https://r4sh7n.medium.com/insecure-direct-object-reference-idor-vulnerability-in-employee-management-functionality-70df8ac5b1d3?postPublishedType=repub |
|---|
| उपयोगकर्ता | r4sh7n (UID 97600) |
|---|
| सबमिशन | 14/05/2026 04:26 PM (21 दिन पहले) |
|---|
| संयम | 02/06/2026 04:01 PM (19 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 367929 [SourceCodester Human Resource Management 1.0 Employee View Page /detailview.php employeeid अधिकार वृद्धि] |
|---|
| अंक | 17 |
|---|