Headline
Lost And Found Information System 1.0 Broken Access Control / Privilege Escalation
Lost and Found Information System version 1.0 allows a staff level user to adjust administrative controls.
Lost And Found Information System 1.0 Broken Access Control / Privilege Escalation
Lost And Found Information System 1.0 Broken Access Control / Privilege Escalation
Vulnerability: Broken Access ControlAuthor: Akash PandeyCVE: CVE-2023-3018Source:https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html*Steps to re-produce*:1. Go to https://site.com/admin/?page=user/list as staff user.2. Notice that as a staff user I am able to access admin functionalities.3. Now as a staff I am able to edit admin user’s passwordPOC:https://medium.com/@akashpandey380/lost-and-found-information-system-v1-0-idor-cve-2023-977966c4450dRelated news
CVE-2023-3018
A vulnerability was found in SourceCodester Lost and Found Information System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/?page=user/list. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-230362 is the identifier assigned to this vulnerability.