Submit #801610: 1000 Projects portfolio-management-system v1.0 Unverified Password Changeinfo

Title1000 Projects portfolio-management-system v1.0 Unverified Password Change
DescriptionA high severity IDOR (Insecure Direct Object Reference) vulnerability exists in 1000project `update_passwd_process.php`. The vulnerability allows an attacker to modify the password of any user account by manipulating the `temp_user` session variable, enabling unauthorized password changes without proper authorization checks. **Key Characteristics:** - **Attack Vector**: Session variable manipulation - **Impact**: Unauthorized password modification for any user - **Authentication**: Requires valid user session (but no additional authorization) The vulnerability stems from the system using a session variable to identify the user whose password to change, without verifying that the current user has permission to modify that account.
Source⚠️ https://github.com/9str0IL/CVE/issues/4
User
 9str0il (UID 97218)
Submission04/10/2026 05:31 (3 months ago)
Moderation04/26/2026 21:47 (17 days later)
StatusAccepted
VulDB entry359743 [1000 Projects Portfolio Management System MCA 1.0 update_passwd_process.php temp_user authorization]
Points20

Might our Artificial Intelligence support you?

Check our Alexa App!