| Title | Bdtask SalesERP -- AI-Powered ERP Software For Small Business Unknown Broken Access Control / Privilege Escalation |
|---|
| Description | Bdtask SalesERP is vulnerable to a critical Broken Access Control issue due to missing server-side authorization validation across administrative functionality. The application trusts any valid ci_session cookie without confirming the user’s role or permission level. This allows a standard authenticated user to directly access admin-restricted endpoints (e.g., /add_role, /bank_list, /stock, /purchase_list) and perform privileged operations. Successful exploitation results in full privilege escalation, enabling unauthorized viewing, modification, and deletion of sensitive ERP data, as well as the ability to create or alter roles, manage financial records, and control all administrative modules. This flaw leads to complete compromise of the ERP system. |
|---|
| Source | ⚠️ https://github.com/4m3rr0r/PoCVulDb/issues/11 |
|---|
| User | 4m3rr0r (UID 85795) |
|---|
| Submission | 01/16/2026 11:19 (5 months ago) |
|---|
| Moderation | 01/29/2026 09:44 (13 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 343359 [Bdtask SalesERP up to 20260116 Administrative Endpoint ci_session improper authorization] |
|---|
| Points | 20 |
|---|