SourceCodester Lost and Found Information System access control
Description
A vulnerability was found in SourceCodester Lost and Found Information System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file admin/?page=user/manage_user. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-228886 is the identifier assigned to this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Staff users in SourceCodester Lost and Found Information System 1.0 can escalate privileges to admin via improper access controls in the user management page.
Vulnerability
The vulnerability exists in the admin/?page=user/manage_user page of SourceCodester Lost and Found Information System version 1.0. The save_users() function does not enforce proper authorization checks when creating or modifying user accounts. A staff-level user can manipulate the type parameter to create a user with admin privileges, bypassing intended role restrictions. The affected code path is reachable by any authenticated user with staff permissions.
Exploitation
An attacker must first authenticate as a staff user. The attacker then visits the vulnerable page and submits a request to create a new user, setting the type field to admin. The application does not verify that the current user has permission to assign admin roles, allowing the attacker to create an admin account. The attacker can then log in with the newly created admin account to gain full control. The proof of concept steps are documented in the public exploit [1].
Impact
Successful exploitation results in privilege escalation from staff to admin. The attacker gains unrestricted access to all administrative functions, including user management, system configuration, and sensitive data. This compromises the confidentiality, integrity, and availability of the application.
Mitigation
As of the publication date, no official patch has been released by the vendor. The application is end-of-life or unsupported. Mitigation requires implementing proper access control checks in the save_users() function to ensure only users with appropriate privileges (e.g., existing admin users) can create or modify admin accounts. Until a fix is applied, administrators should restrict staff user accounts and monitor user creation activity.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 1.0
- SourceCodester/Lost and Found Information Systemv5Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing access control in the user creation function allows any authenticated user to create accounts with any role, including admin."
Attack vector
An attacker first visits the vulnerable page `/php-lfis/admin/?page=user/manage_user` and creates a user with type "staff". After logging in as that staff user, the attacker navigates to the same page and creates a new user with type "admin". Because the `save_users()` function does not enforce any access control checks on who can create admin-level accounts, the attacker can then log in as the newly created admin user and gain full system permissions. [ref_id=1]
Affected code
The vulnerability exists in the file `admin/?page=user/manage_user` of SourceCodester Lost and Found Information System 1.0. The `save_users()` function processes user creation without checking the role/type of the currently logged-in user, allowing any authenticated user to create accounts with any user type, including admin. [ref_id=1]
What the fix does
No official patch has been published by the vendor. The advisory does not include a fix or remediation guidance. To close this vulnerability, the application should verify that the currently authenticated user has the appropriate role (e.g., existing admin) before allowing the creation of new admin-level users in the `save_users()` function. [ref_id=1]
Preconditions
- networkThe attacker must be able to reach the web application (network access).
- inputThe attacker must be able to register or create a staff-level user (no special privileges required initially).
Reproduction
1. Visit the vulnerable page: `/php-lfis/admin/?page=user/manage_user` 2. Create a user with type "staff" 3. Login with the staff user 4. Go to `/php-lfis/admin/?page=user/manage_user` 5. Create an admin user 6. Login as the admin user and gain full permissions [ref_id=1]
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/tht1997/CVE_2023/blob/main/Lost%20and%20Found%20Information%20System/CVE-2023-2670.mdmitreexploit
- vuldb.commitresignature
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.