| tiêu đề | Bdtask SalesERP -- AI-Powered ERP Software For Small Business Unknown Broken Access Control / Privilege Escalation |
|---|
| Mô tả | Bdtask SalesERP is vulnerable to a critical Broken Access Control issue due to missing server-side authorization validation across administrative functionality. The application trusts any valid ci_session cookie without confirming the user’s role or permission level. This allows a standard authenticated user to directly access admin-restricted endpoints (e.g., /add_role, /bank_list, /stock, /purchase_list) and perform privileged operations. Successful exploitation results in full privilege escalation, enabling unauthorized viewing, modification, and deletion of sensitive ERP data, as well as the ability to create or alter roles, manage financial records, and control all administrative modules. This flaw leads to complete compromise of the ERP system. |
|---|
| Nguồn | ⚠️ https://github.com/4m3rr0r/PoCVulDb/issues/11 |
|---|
| Người dùng | 4m3rr0r (UID 85795) |
|---|
| Đệ trình | 16/01/2026 11:19 (cách đây 5 các tháng) |
|---|
| Kiểm duyệt | 29/01/2026 09:44 (13 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 343359 [Bdtask SalesERP đến 20260116 Administrative Endpoint ci_session nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|