Submit #768120: SourceCodester Client Database Management System (CDMS) 1.0 Improper Authorizationinfo

Title	SourceCodester Client Database Management System (CDMS) 1.0 Improper Authorization
Description	The endpoint /superadmin_user_delete.php in Client Database Management System 1.0 does not implement proper authentication or authorization checks. The script processes POST requests containing a user_id parameter and directly executes the delete operation without validating session state or verifying the user’s role. An unauthenticated attacker can send a crafted HTTP POST request to delete arbitrary user accounts from the system. Proof of Concept curl -X POST http://TARGET/cdm/superadmin_user_delete.php \ -d "user_id=31" Server Response: {"status":"success","message":"User deleted successfully."} No authentication token or valid session is required to perform this action. Impact An attacker can: Delete arbitrary user accounts Disrupt business operations Cause permanent data loss Bypass privilege restrictions Perform denial-of-service against legitimate users This vulnerability represents a critical access control failure and violates the principle of least privilege.
Source	⚠️ https://gist.github.com/Adarshh-A/dd8884d768d9dde9072fe5efce453824
User	Adarsh007 (UID 95657)
Submission	02/26/2026 10:06 (1 month ago)
Moderation	03/07/2026 21:42 (9 days later)
Status	Accepted
VulDB entry	349739 [SourceCodester Client Database Management System 1.0 Endpoint superadmin_user_delete.php user_id improper authorization]
Points	20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!