| tiêu đề | 1000 Projects portfolio-management-system v1.0 Unverified Password Change |
|---|
| Mô tả | A high severity IDOR (Insecure Direct Object Reference) vulnerability exists in 1000project `update_passwd_process.php`. The vulnerability allows an attacker to modify the password of any user account by manipulating the `temp_user` session variable, enabling unauthorized password changes without proper authorization checks.
**Key Characteristics:**
- **Attack Vector**: Session variable manipulation
- **Impact**: Unauthorized password modification for any user
- **Authentication**: Requires valid user session (but no additional authorization)
The vulnerability stems from the system using a session variable to identify the user whose password to change, without verifying that the current user has permission to modify that account. |
|---|
| Nguồn | ⚠️ https://github.com/9str0IL/CVE/issues/4 |
|---|
| Người dùng | 9str0il (UID 97218) |
|---|
| Đệ trình | 10/04/2026 05:31 (cách đây 2 các tháng) |
|---|
| Kiểm duyệt | 26/04/2026 21:47 (17 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 359743 [1000 Projects Portfolio Management System MCA 1.0 update_passwd_process.php temp_user nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|