| Title | Bdtask Pharmacy Management System v9.4 Insecure Direct Object Reference (IDOR) |
|---|
| Description | The application uses a predictable, sequential user ID in the URL to fetch and display user profile data. However, it fails to perform a server-side authorization check to verify if the currently authenticated user has the necessary permissions to view or edit the profile associated with the requested ID. This allows any authenticated user to access the profiles of other users simply by manipulating the ID in the URL.
|
|---|
| Source | ⚠️ https://github.com/4m3rr0r/PoCVulDb/blob/main/README15.md |
|---|
| User | 4m3rr0r (UID 85795) |
|---|
| Submission | 10/14/2025 17:07 (7 months ago) |
|---|
| Moderation | 10/26/2025 17:30 (12 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 329956 [Bdtask Pharmacy Management System up to 9.4 User Profile /user/edit_user/ authorization] |
|---|
| Points | 19 |
|---|