vendor:
Lost and Found Information System
by:
OR4NG.M4N
8.1
CVSS
CRITICAL
Insecure Direct Object Reference (IDOR)
639
CWE
Product Name: Lost and Found Information System
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE: CVE-2023-38965
CPE: a:lost_and_found_information_system:lost_and_found_information_system:1.0
Platforms Tested:
2023
Lost and Found Information System v1.0 – Insecure Direct Object Reference leads to Account Takeover
The Lost and Found Information System v1.0 is vulnerable to an Insecure Direct Object Reference (IDOR) attack, which can be exploited by an authenticated attacker to take over user accounts. By manipulating the 'id' parameter in the POST request to '/classes/Users.php?f=save', an attacker can modify user information and potentially gain unauthorized access to other user accounts. This vulnerability has been assigned CVE-2023-38965.
Mitigation:
To mitigate this vulnerability, it is recommended to implement proper access controls and authorization checks to ensure that users can only modify their own accounts. Additionally, sensitive user data should be encrypted and protected to prevent unauthorized access.