CVE-2026-10243
Description
Smart Parking System 1.0 lacks authentication on admin endpoints, allowing unauthenticated remote attackers to perform privileged operations.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Smart Parking System 1.0 lacks authentication on admin endpoints, allowing unauthenticated remote attackers to perform privileged operations.
Vulnerability
Smart Parking System 1.0 by code-projects.org fails to enforce authentication on multiple admin-only endpoints, including attendant.php, edit.php, basic_table.php, basic_table2.php, and admin_request.php. An unauthenticated remote attacker can directly access these endpoints without any session cookie or credentials. The vulnerability is classified as CWE-306 (Missing Authentication for Critical Function) and affects version 1.0 [1].
Exploitation
An attacker needs only network access to the application; no authentication, session token, or user interaction is required. The exploit involves sending direct GET requests to the vulnerable endpoints. For example, navigating to attendant.php loads the full attendant creation form, allowing the attacker to create rogue attendant accounts. Similarly, edit.php enables reading and overwriting parking records, basic_table.php allows deletion of records, basic_table2.php dumps all attendant PII, and admin_request.php exposes customer emails and booking data [1].
Impact
Successful exploitation grants the attacker full administrative functionality without any authentication. This includes creating attendant accounts, modifying or deleting parking records, and accessing all customer personally identifiable information (PII) and booking data. The impact spans confidentiality (exposure of sensitive data), integrity (unauthorized data modification), and availability (deletion of records), with the attacker operating at the highest privilege level [1].
Mitigation
As of the publication date, no official patch or fixed version has been released by code-projects.org. The vendor has not acknowledged the vulnerability or provided a security update. Until a fix is available, administrators should restrict network access to the admin endpoints using firewall rules or web server access controls, and monitor for unauthorized access attempts. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog [1].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authentication check on admin-facing PHP endpoints allows unauthenticated access to privileged functions."
Attack vector
An unauthenticated remote attacker sends direct HTTP GET requests to any of the five unprotected admin endpoints — `attendant.php`, `edit.php`, `basic_table.php`, `basic_table2.php`, or `admin_request.php` [ref_id=1]. No session cookie, credentials, or user interaction is required. The server processes the request as if the attacker were an authenticated administrator, enabling account creation, record modification, deletion, and data exfiltration [ref_id=1].
Affected code
Five PHP files lack authentication enforcement: `attendant.php`, `edit.php`, `basic_table.php`, `basic_table2.php`, and `admin_request.php` [ref_id=1]. These files handle attendant account creation, parking record read/write/delete, and display of attendant PII and customer booking data. No session or privilege check is performed before executing the privileged operation.
What the fix does
The advisory recommends adding a session authentication check at the top of every admin-facing PHP file: start the session, verify that `$_SESSION['admin']` is set and equals `true`, and redirect to the login page if the check fails [ref_id=1]. No official patch has been published by the vendor as of the advisory date. Without this fix, any endpoint that performs privileged operations remains accessible to unauthenticated users.
Preconditions
- authNo authentication required — attacker does not need a session or credentials
- networkTarget application must be reachable over the network
- configNo special configuration required; default installation is vulnerable
Reproduction
1. Open a browser with no cookies and navigate to the application root to confirm no active session exists. 2. Send a GET request to `/SMART_PARKING_SYSTEM_IN_PHP_WITH_SOURCE_CODE/attendant.php` — the attendant creation form loads without authentication. 3. Send a GET request to `/SMART_PARKING_SYSTEM_IN_PHP_WITH_SOURCE_CODE/edit.php?edit=5` — parking record data is returned and can be modified. 4. Send a GET request to `/SMART_PARKING_SYSTEM_IN_PHP_WITH_SOURCE_CODE/basic_table.php?delete=4` — the parking record is deleted. 5. Send a GET request to `/SMART_PARKING_SYSTEM_IN_PHP_WITH_SOURCE_CODE/basic_table2.php` — all attendant PII is dumped. 6. Send a GET request to `/SMART_PARKING_SYSTEM_IN_PHP_WITH_SOURCE_CODE/admin_request.php` — all customer booking data is dumped [ref_id=1].
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.