CVE-2022-30495
Description
In oretnom23 Automotive Shop Management System v1.0, the name id parameter is vulnerable to IDOR - Broken Access Control allowing attackers to change the admin password(vertical privilege escalation)
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Automotive Shop Management System v1.0 fails to verify that a user updating a profile owns that record, allowing a staff user to change the admin password via IDOR.
Vulnerability
In oretnom23 Automotive Shop Management System v1.0, the /asms/classes/Users.php?f=save endpoint does not enforce access control on the id parameter supplied in the multipart form data. A logged-in staff user can send a POST request containing an arbitrary user ID (e.g., id=1 for the admin account) along with modified profile fields, including a new password. The application accepts the request without verifying that the authenticated session corresponds to the target user ID. The vulnerability affects version 1.0 of the software as distributed by oretnom23 [1].
Exploitation
An attacker must first authenticate as a staff user (any non-admin role with a valid session). From the profile page, the user intercepts the save request using a proxy such as Burp Suite or OWASP ZAP. The attacker then changes the id field in the POST body from their own numeric ID to 1 (the admin user ID) and can set any desired password in the password field (if present, otherwise the request can be modified to include it). The request is submitted to /asms/classes/Users.php?f=save. No additional privileges or interactions beyond staff-level login are required [1].
Impact
Successful exploitation allows the staff user to change the administrative password, achieving vertical privilege escalation to full administrative control. The attacker can then log in as admin and compromise the entire application, including access to all customer records, financial data, and system configuration [1].
Mitigation
The vendor (oretnom23) has not released a patched version or advisory as of the publication date (May 26, 2022). The application is no longer available at the original SourceCodester link, and its current support status is unknown. No workaround is provided in the reference. The CVE is not listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog. Users should consider migrating away from the product or applying WAF rules that block requests where the id parameter does not match the session’s user identifier [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- oretnom23/Automotive Shop Management Systemdescription
- Range: = v1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing server-side authorization check on the user update endpoint allows any authenticated user to modify any user record by supplying an arbitrary user ID."
Attack vector
An attacker who has authenticated as a low-privileged staff user intercepts the profile-update POST request to `/asms/classes/Users.php?f=save` [ref_id=1]. By changing the `id` parameter to `1` (the administrator's ID) and supplying a new `password` value, the attacker overwrites the admin account's credentials [ref_id=1]. After forwarding the modified request, the attacker can log in as the administrator with the newly set password, achieving vertical privilege escalation [ref_id=1].
Affected code
The vulnerable endpoint is `/asms/classes/Users.php?f=save` [ref_id=1]. The server does not verify that the `id` parameter in the POST body matches the authenticated user's session, allowing any logged-in user to modify any user record by supplying an arbitrary `id` value [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] does not provide remediation code. To fix this vulnerability, the application should enforce server-side authorization checks on the `Users.php?f=save` endpoint, ensuring that the `id` parameter matches the currently authenticated user's ID (or that the user has administrative privileges to edit other accounts).
Preconditions
- authAttacker must have a valid staff-level account on the Automotive Shop Management System
- inputAttacker must be able to intercept and modify HTTP requests (e.g., using a proxy like Burp Suite or ZAP)
- configThe target application must be running Automotive Shop Management System v1.0
Reproduction
Step 1: Login as a staff user. Step 2: Go to the profile page and click the save button, intercepting the request with a proxy. Step 3: Change the `id` parameter to `1`, set `username` to `admin`, and insert a new password in the `password` field. Step 4: Forward the modified request. Step 5: Log out and log in as `admin` with the newly set password [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/nsparker1337/OpenSource/blob/main/exploit_idor_asms.mdmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.