提出 #740735: Bdtask SalesERP -- AI-Powered ERP Software For Small Business Unknown Broken Access Control / Privilege Escalation情報

タイトル	Bdtask SalesERP -- AI-Powered ERP Software For Small Business Unknown Broken Access Control / Privilege Escalation
説明	Bdtask SalesERP is vulnerable to a critical Broken Access Control issue due to missing server-side authorization validation across administrative functionality. The application trusts any valid ci_session cookie without confirming the user’s role or permission level. This allows a standard authenticated user to directly access admin-restricted endpoints (e.g., /add_role, /bank_list, /stock, /purchase_list) and perform privileged operations. Successful exploitation results in full privilege escalation, enabling unauthorized viewing, modification, and deletion of sensitive ERP data, as well as the ability to create or alter roles, manage financial records, and control all administrative modules. This flaw leads to complete compromise of the ERP system.
ソース	⚠️ https://github.com/4m3rr0r/PoCVulDb/issues/11
ユーザー	4m3rr0r (UID 85795)
送信	2026年01月16日 11:19 (5 月 ago)
モデレーション	2026年01月29日 09:44 (13 days later)
ステータス	承諾済み
VulDBエントリ	343359 [Bdtask SalesERP 迄 20260116 Administrative Endpoint ci_session 特権昇格]
ポイント	20

Do you know our Splunk app?

Download it now for free!