CVE-2026-10255
Description
SourceCodester Pharmacy Sales and Inventory System 1.0 has a broken access control via an OR logic flaw in ShowForm.php, leaking sales data without authentication.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SourceCodester Pharmacy Sales and Inventory System 1.0 has a broken access control via an OR logic flaw in ShowForm.php, leaking sales data without authentication.
Vulnerability
In SourceCodester Pharmacy Sales and Inventory System version 1.0, the sell_statement function in application/controllers/ShowForm.php contains a critical logical flaw. The authentication check uses the condition $this->session->userdata("username") != "" || $this->session->userdata("username") != "staff". Because the OR operator (||) is used instead of an AND operator (&&), the condition always evaluates to TRUE, even when no user is logged in. This allows unauthenticated attackers to access the sales statement endpoint (/ShowForm/sell_statement/main) directly [1]. The same vulnerability also affects the /ShowForm/supplier_payment/main endpoint [1].
Exploitation
An attacker can exploit this vulnerability remotely without any authentication or prior knowledge. They simply send a request to the sell_statement URL (e.g., http://target/ShowForm/sell_statement/main). The server incorrectly permits access, returning the full sales data. The condition never denies access, so no special privileges, user interaction, or race window is needed [1].
Impact
Successful exploitation leads to information disclosure of sensitive business and financial records. Exposed data includes sales dates, invoice numbers, medicine names, unit prices, quantities sold, total amounts, discount amounts, and actual revenue received. This can result in competitive disadvantage, financial fraud, privacy violations, and regulatory compliance issues. Additionally, the same broken access control on the supplier payment endpoint exposes supplier payment records [1].
Mitigation
As of the publication date (2026-06-01), the vendor has not released an official patch for this vulnerability. Users should modify the affected code in ShowForm.php by changing the OR condition to an AND condition: $this->session->userdata("username") != "" && $this->session->userdata("username") != "staff". Alternatively, implement proper session-based authentication checks on both endpoints (sell_statement and supplier_payment/main). The vulnerable version is explicitly V1.0; users should monitor the SourceCodester website [2] for updates.
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"A logical operator error (OR instead of AND) in the session authentication check causes the access control condition to always evaluate to true, allowing unauthenticated access."
Attack vector
An unauthenticated attacker simply opens a browser in incognito/private mode and navigates to `http://localhost/ci_pms/index.php/ShowForm/sell_statement/main` (or the `supplier_payment/main` endpoint). No login, session, or payload is required. The root cause is a logical operator error: the condition `$this->session->userdata("username") != "" || $this->session->userdata("username") != "staff"` always evaluates to true due to the OR operator, so the access control check is completely bypassed [ref_id=1].
Affected code
The vulnerability is in the `sell_statement` function of `application/controllers/ShowForm.php` (line 200). The same flawed logic also affects the `supplier_payment/main` endpoint in the same controller.
What the fix does
The advisory recommends changing the flawed condition from `$this->session->userdata("username") != "" || $this->session->userdata("username") != "staff"` to `$this->session->userdata("username") != ""` for basic authentication, and implementing role-based access control (RBAC) to distinguish admin from staff privileges [ref_id=1]. No official patch has been published by the vendor.
Preconditions
- authNo authentication required; attacker can be completely unauthenticated
- networkNetwork access to the vulnerable endpoint
Reproduction
1. Open a browser in incognito/private mode (ensure no active session). 2. Directly access `http://localhost/ci_pms/index.php/ShowForm/sell_statement/main` without logging in. 3. Observe that the sales statement page is fully accessible, displaying all sales records including date, invoice, medicine name, unit price, quantity, total amount, discount, and payment details. 4. Directly access `http://localhost/ci_pms/index.php/ShowForm/supplier_payment/main` without logging in. 5. Observe that the supplier payment page is also fully accessible, exposing supplier names, payment records, and financial due amounts.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.