Submit #817935: SourceCodester eDoc Doctor Appointment System 1.0 Missing Authorizationinfo

TitleSourceCodester eDoc Doctor Appointment System 1.0 Missing Authorization
DescriptionA missing authorization vulnerability exists in SourceCodester eDoc Doctor Appointment System 1.0. The admin delete endpoints /admin/delete-session.php?id=, /admin/delete-appointment.php?id=, and /admin/delete-doctor.php?id= can be accessed by unauthenticated users. Although the affected PHP files attempt to redirect unauthenticated users to ../login.php using header(), script execution continues because exit or die is not called after the redirect. As a result, the delete operation can still execute. An unauthenticated attacker may delete doctor records, appointment records, and schedule/session records by sending crafted GET requests to the affected endpoints. CWE: CWE-862 CWE: CWE-306 CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H Product URL: https://www.sourcecodester.com/hashenudara/simple-doctors-appointment-project.html
Source⚠️ https://drive.google.com/file/d/1mCUEIC-a9tIvrTLkeAjrxLj6K19Afwhl/view?usp=sharing
User
 vaibhavnarkhede (UID 94039)
Submission05/02/2026 13:25 (2 months ago)
Moderation05/26/2026 18:04 (24 days later)
StatusAccepted
VulDB entry365676 [SourceCodester eDoc Doctor Appointment System 1.0 delete-session.php ID authorization]
Points20

Interested in the pricing of exploits?

See the underground prices here!