| Title | SourceCodester Client Database Management System (CDMS) 1.0 Broken Access Control |
|---|
| Description | Client Database Management System (CDMS) contains multiple critical broken access control vulnerabilities.
Several backend endpoints fail to enforce authentication and authorization checks, allowing unauthenticated attackers to perform privileged actions.
Affected endpoints include:
- /cdm/fetch_manager_details.php (IDOR – information disclosure)
- /cdm/superadmin_delete_manager.php (Unauthenticated manager deletion)
- /cdm/superadmin_sales_agent_create.php (Unauthenticated record creation)
An attacker can:
- Enumerate internal data
- Delete managers
- Create internal records
- Modify application state
These vulnerabilities exist due to missing session validation (no include 'session.php') and lack of role-based access control checks.
CVSS v3.1 Vector:
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: Critical (9.8) |
|---|
| Source | ⚠️ https://gist.github.com/Adarshh-A/f25452a4fe736babd39b9a1b800e98d0 |
|---|
| User | Adarsh007 (UID 95657) |
|---|
| Submission | 02/25/2026 09:31 (1 month ago) |
|---|
| Moderation | 03/07/2026 19:03 (10 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 349712 [SourceCodester Client Database Management System 1.0 Endpoint fetch_manager_details.php manager_id improper authorization] |
|---|
| Points | 20 |
|---|