| Título | Bdtask SalesERP -- AI-Powered ERP Software For Small Business Unknown Broken Access Control / Privilege Escalation |
|---|
| Descrição | Bdtask SalesERP is vulnerable to a critical Broken Access Control issue due to missing server-side authorization validation across administrative functionality. The application trusts any valid ci_session cookie without confirming the user’s role or permission level. This allows a standard authenticated user to directly access admin-restricted endpoints (e.g., /add_role, /bank_list, /stock, /purchase_list) and perform privileged operations. Successful exploitation results in full privilege escalation, enabling unauthorized viewing, modification, and deletion of sensitive ERP data, as well as the ability to create or alter roles, manage financial records, and control all administrative modules. This flaw leads to complete compromise of the ERP system. |
|---|
| Fonte | ⚠️ https://github.com/4m3rr0r/PoCVulDb/issues/11 |
|---|
| Utilizador | 4m3rr0r (UID 85795) |
|---|
| Submissão | 16/01/2026 11h19 (há 5 meses) |
|---|
| Moderação | 29/01/2026 09h44 (13 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 343359 [Bdtask SalesERP até 20260116 Administrative Endpoint ci_session Elevação de Privilégios] |
|---|
| Pontos | 20 |
|---|