| Title | SourceCodester Web-based-Pharmacy-Product-Management-System 1.0 Improper Access Controls |
|---|
| Description | The application does not invalidate active sessions after account deletion.
When an Super Admin deletes a Admin account, any previously authenticated session (PHPSESSID) associated with that account remains valid.
Although new login attempts fail, the existing session continues to grant access to protected administrative pages until manual logout or session expiration.
This results in a privilege revocation bypass and constitutes Improper Access Control.
|
|---|
| Source | ⚠️ https://github.com/hiranerakkot/Web-based-Pharmacy-Product-Management-System/blob/main/README.md |
|---|
| User | Hiran (UID 95719) |
|---|
| Submission | 02/19/2026 12:16 (2 months ago) |
|---|
| Moderation | 03/01/2026 07:44 (10 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 348296 [SourceCodester Web-based Pharmacy Product Management System 1.0 session expiration] |
|---|
| Points | 20 |
|---|