Invia #163041: Lost and Found Information System v1.0 - Broken Access Control
| Titolo | Lost and Found Information System v1.0 - Broken Access Control |
|---|---|
| Descrizione | Application Name - Lost and Found Information System Version - v1.0 Vulnerability - Broken Access Control Source - https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html While testing an application it was observed that a staff user can also force browse to admin modules. To reproduce - 1. Login as staff user 2. After logging in go to /admin/?page=user/list as staff user. Notice that you can edit the administrator username and password as a staff user. Impact - A staff user can change the password of admin user which may result in an account takeover for admin user. |
| Fonte | ⚠️ https:/ |
| Utente | l3v1ath0n (UID 33329) |
| Sottomissione | 31/05/2023 15:08 (3 anni fa) |
| Moderazione | 31/05/2023 15:13 (5 minutes later) |
| Stato | Accettato |
| Voce VulDB | 230362 [SourceCodester Lost and Found Information System 1.0 /admin/?page=user/list escalationi di privilegi] |
| Punti | 20 |