Advertisement






Employee Performance Evaluation System 1.0 Insecure Direct Object Reference

CVE Category Price Severity
CVE-2021-26561 CWE-284 Not disclosed High
Author Risk Exploitation Type Date
Unknown High Remote 2020-12-09
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020120054

Below is a copy:

Employee Performance Evaluation System 1.0 Insecure Direct Object Reference
# Exploit Title: Employee Performance Evaluation System 1.0 - Able to delete Admin user from Local account Unauthenticated Insecure Direct Object Reference (IDOR)
# Date: 09/12/2020
# Exploit Author: Manish Solanki
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14617/employee-performance-evaluation-system-phpmysqli-source-code.html
# Version: 1.0
# Tested on: Windows 10/Kali Linux
# PoC: https://drive.google.com/file/d/1LWU05ocapuoIL1nfqCF8DRu_T2gB-3sQ/view


Steps to Reproduce:

1) Login with Admin Credentials (Email: [email protected] Password: admin123)
2) Create Local Employee Account
3) Log Out from Admin Account

4) Now login Local Employee Account
5) Change url to ?page=user_list. Now I am able to delete / change admin user

http://localhost/epes/index.php?page=user_list

6) Now able to access admin privileges account and able to perform edit or delete operation from local account.

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum