| Title | SourceCodester eDoc Doctor Appointment System 1.0 Missing Authorization |
|---|
| Description | A missing authorization vulnerability exists in SourceCodester eDoc Doctor Appointment System 1.0. The admin delete endpoints /admin/delete-session.php?id=, /admin/delete-appointment.php?id=, and /admin/delete-doctor.php?id= can be accessed by unauthenticated users. Although the affected PHP files attempt to redirect unauthenticated users to ../login.php using header(), script execution continues because exit or die is not called after the redirect. As a result, the delete operation can still execute.
An unauthenticated attacker may delete doctor records, appointment records, and schedule/session records by sending crafted GET requests to the affected endpoints.
CWE: CWE-862
CWE: CWE-306
CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Product URL: https://www.sourcecodester.com/hashenudara/simple-doctors-appointment-project.html |
|---|
| Source | ⚠️ https://drive.google.com/file/d/1mCUEIC-a9tIvrTLkeAjrxLj6K19Afwhl/view?usp=sharing |
|---|
| User | vaibhavnarkhede (UID 94039) |
|---|
| Submission | 05/02/2026 13:25 (2 months ago) |
|---|
| Moderation | 05/26/2026 18:04 (24 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 365676 [SourceCodester eDoc Doctor Appointment System 1.0 delete-session.php ID authorization] |
|---|
| Points | 20 |
|---|