| Title | 1000 Projects portfolio-management-system v1.0 Unverified Password Change |
|---|
| Description | A high severity IDOR (Insecure Direct Object Reference) vulnerability exists in 1000project `update_passwd_process.php`. The vulnerability allows an attacker to modify the password of any user account by manipulating the `temp_user` session variable, enabling unauthorized password changes without proper authorization checks.
**Key Characteristics:**
- **Attack Vector**: Session variable manipulation
- **Impact**: Unauthorized password modification for any user
- **Authentication**: Requires valid user session (but no additional authorization)
The vulnerability stems from the system using a session variable to identify the user whose password to change, without verifying that the current user has permission to modify that account. |
|---|
| Source | ⚠️ https://github.com/9str0IL/CVE/issues/4 |
|---|
| User | 9str0il (UID 97218) |
|---|
| Submission | 04/10/2026 05:31 (3 months ago) |
|---|
| Moderation | 04/26/2026 21:47 (17 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 359743 [1000 Projects Portfolio Management System MCA 1.0 update_passwd_process.php temp_user authorization] |
|---|
| Points | 20 |
|---|