| タイトル | SourceCodester Multi-Vendor Online Grocery Management System 1.0 Improper Authorization |
|---|
| 説明 | A vulnerability was found in SourceCodester Multi-Vendor Online Grocery Management System 1.0. It has been classified
as critical. The cancel_order() function in classes/Master.php accepts an order id from POST data and updates its
status without verifying the order belongs to the current user. Any authenticated client can cancel any order in the
system by supplying an arbitrary order ID.
POST /mvogms/classes/Master.php?f=cancel_order
id=2
Response: {"status":"success","msg":" Order has been cancelled successfully."} |
|---|
| ソース | ⚠️ https://github.com/lee945/cve/issues/4 |
|---|
| ユーザー | cHr1s (UID 98736) |
|---|
| 送信 | 2026年06月03日 13:55 (1 月 ago) |
|---|
| モデレーション | 2026年07月04日 06:59 (1 month later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 376289 [SourceCodester Multi-Vendor Online Grocery Management System 1.0 classes/Master.php cancel_order 特権昇格] |
|---|
| ポイント | 20 |
|---|