Submit #780773: SourceCodester Leave Application System in PHP and SQLite3 1.0 Improper Authorizationinfo

TitleSourceCodester Leave Application System in PHP and SQLite3 1.0 Improper Authorization
DescriptionThe Leave Application System in PHP and SQLite3 is vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability in the user management functionality. The application allows authenticated users to access and modify other user accounts by manipulating the id parameter in the URL. Example vulnerable endpoint: ?page=manage_user&id=1 By changing the id parameter value, attackers can access other users' accounts: ?page=manage_user&id=2 ?page=manage_user&id=3 The application loads different user profiles based solely on the ID value without performing proper authorization checks. This vulnerability may allow attackers to access sensitive user information, modify other user accounts, and potentially escalate privileges.
Source⚠️ https://medium.com/@hemantrajbhati5555/insecure-direct-object-reference-idor-in-leave-application-system-php-sqlite3-66af35b8b6ea
User Hemant Raj Bhati (UID 95613)
Submission03/16/2026 12:33 (4 months ago)
Moderation04/01/2026 15:18 (16 days later)
StatusAccepted
VulDB entry354657 [SourceCodester Leave Application System 1.0 User Information index.php?page=manage_user ID authorization]
Points20

Might our Artificial Intelligence support you?

Check our Alexa App!