CVE-2026-10288
Description
Improper authentication in code-projects Hotel and Tourism Reservation System 1.0 allows remote attackers to bypass login with any password.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper authentication in code-projects Hotel and Tourism Reservation System 1.0 allows remote attackers to bypass login with any password.
Vulnerability
A critical improper authentication vulnerability exists in the admin login functionality of code-projects Hotel and Tourism Reservation System version 1.0. The issue stems from an inverted conditional check in the password_verify function within /admin/login.php, causing the application to grant access when an incorrect password is provided and deny access when the correct password is supplied [2].
Exploitation
An unauthenticated remote attacker can exploit this vulnerability by navigating to the admin login page, providing a valid email address, and then submitting any arbitrary incorrect password. This sequence triggers the flawed logic, granting the attacker administrative access without needing the correct credentials [2].
Impact
Successful exploitation allows a remote, unauthenticated attacker to gain full administrative access to the application. This includes the ability to view, modify, and delete all room and tour reservations, as well as add, edit, or remove rooms, tours, and events [2].
Mitigation
As of the available references, a fixed version for this vulnerability has not been disclosed. Users are advised to consult the vendor for potential patches or workarounds. The exploit is publicly available and might be used [1, 2].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application grants administrative access when an incorrect password is provided due to an inverted conditional check on the return value of password_verify()."
Attack vector
An unauthenticated remote attacker can exploit this vulnerability by navigating to the admin login page and submitting a valid administrator email address along with any arbitrary incorrect password. The application then bypasses authentication and redirects to the admin dashboard, granting full administrative access. This attack is possible because the success logic is placed in the `else` branch of the `password_verify()` function, which executes when the password is wrong [ref_id=1].
Affected code
The vulnerability resides in the `admin/login.php` file, specifically within lines 39-46. The issue stems from the incorrect placement of the login logic within the `else` block of the `password_verify()` function call. This inverted conditional check leads to improper authentication [ref_id=1].
What the fix does
The recommended fix involves swapping the conditional branches in the `admin/login.php` file. The login should be granted when `password_verify()` returns true, indicating a correct password, and an error message should be displayed when it returns false, signifying an incorrect password [ref_id=1]. This corrects the inverted logic that was causing authentication bypass.
Preconditions
- authNo authentication is required to access the login page.
- inputA valid administrator email address is required.
Reproduction
Step 1: Navigate to the admin login page (`http:///ht/admin/login.php`). Step 2: Enter a valid admin email (e.g., `admin@admin.com`) and any incorrect password (e.g., `wrongpassword`). Step 3: Click Login. The application bypasses authentication and redirects to the admin dashboard (`index.php`), granting full admin access [ref_id=1].
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.