| Title | https://github.com/tutorials-website Employee Management System(EMS Version-1.0) 1.0 broken access control |
|---|
| Description | Unprotected Private Functions on Employee Management System v1.0
Download app:
https://github.com/tutorials-website/EMS-MINI-PROJECT
This application is vulnerable to broken access control because an arbitrary user can perform several restricted actions due to unprotected private functions.
Normally, an anonymous user has to log in to use the features of the application. Let's assume the web is deployed in this local URL: http://localhost:8088.
So, when opening the page, the anonymous user will see this login page. Without logging in, the user should be unable to open other pages.
However, the user can execute a restricted function by directly sending this HTTP request.
Approving Leave:
POST | http://localhost:8088/admin/all-applied-leave.php | approved=&comment=jqakozap%0D%0A&id=1
Found by:
BACFuzz Founder
|
|---|
| Source | ⚠️ https://drive.google.com/file/d/1N5ApKiYw-yKNhVERr4m3ruooiANgpFRo/view?usp=sharing |
|---|
| User | ary52 (UID 85519) |
|---|
| Submission | 09/17/2025 13:24 (7 months ago) |
|---|
| Moderation | 09/26/2025 10:30 (9 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 325969 [Tutorials-Website Employee Management System up to 611887d8f8375271ce8abc704507d46340837a60 HTTP Request all-applied-leave.php improper authorization] |
|---|
| Points | 20 |
|---|