| 제목 | Lost and Found Information System v1.0 - Broken Access Control |
|---|
| 설명 | Application Name - Lost and Found Information System
Version - v1.0
Vulnerability - Broken Access Control
Source - https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html
While testing an application it was observed that a staff user can also force browse to admin modules.
To reproduce -
1. Login as staff user
2. After logging in go to /admin/?page=user/list as staff user. Notice that you can edit the administrator username and password as a staff user.
Impact -
A staff user can change the password of admin user which may result in an account takeover for admin user.
|
|---|
| 원천 | ⚠️ https://medium.com/@akashpandey380/lost-and-found-information-system-v1-0-idor-cve-2023-977966c4450d |
|---|
| 사용자 | l3v1ath0n (UID 33329) |
|---|
| 제출 | 2023. 05. 31. PM 03:08 (3 연령 ago) |
|---|
| 모더레이션 | 2023. 05. 31. PM 03:13 (5 minutes later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 230362 [SourceCodester Lost and Found Information System 1.0 /admin/?page=user/list 권한 상승] |
|---|
| 포인트들 | 20 |
|---|