Sushmi-pal Invoice-System User Management user improper authorization
Description
A flaw has been found in Sushmi-pal Invoice-System up to a0a3faa16dee2621b231ae227333f5761607283b. This affects an unknown part of the file /user of the component User Management Handler. This manipulation of the argument role causes improper authorization. It is possible to initiate the attack remotely. The exploit has been published and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A broken access control vulnerability in Sushmi-pal Invoice-System allows any user to escalate privileges by crafting requests with an admin role.
Vulnerability
The User Management Handler endpoint /user in Sushmi-pal Invoice-System (up to commit a0a3faa16dee2621b231ae227333f5761607283b) lacks effective authorization controls. The controller accepts attacker-controlled role data, and the routes are not protected by admin-only middleware. This allows any authenticated user to create or modify accounts with arbitrary roles. The product uses a rolling release model, so no specific version numbers for affected or fixed releases are available [1].
Exploitation
An attacker needs network access to the application and any valid user account (or registration capability). The exploit involves sending a POST or PUT request to /user with a crafted payload that includes a role=admin parameter. A published proof of concept demonstrates the exact HTTP request [1]. No special position beyond remote network access is required.
Impact
Successful exploitation leads to privilege escalation — the attacker can assign themselves or others the administrative role, resulting in full account takeover and unauthorized access to all administrative functions. The CIA impact is primarily a compromise of integrity and availability, as the attacker gains complete control over user management and application settings [1].
Mitigation
No official patch exists as of the publication date (2026-05-25); the vendor did not respond to disclosure. Rolling release means users must rely on updates from the project source. Recommended workarounds include enforcing authorization middleware on all /user routes, removing role from the model's $fillable array, and implementing Laravel Policies for user creation and update operations [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <= a0a3faa16dee2621b231ae227333f5761607283b
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing server-side authorization checks allow any authenticated user to set the `role` field to `admin` during user creation or modification."
Attack vector
An attacker sends a POST request to `/user` with a `role=admin` parameter, bypassing missing server-side authorization controls. The application does not enforce admin-only middleware on the user management routes, allowing any authenticated user to create or modify accounts with administrative privileges [ref_id=1]. The attack is remotely exploitable with no special network preconditions beyond network access to the application.
Affected code
The vulnerable endpoint is `/user` via POST/PUT methods in the User Management Handler component. The controller accepts attacker-controlled `role` data without effective authorization checks, and the user resource routes are not protected by admin-only middleware [ref_id=1].
What the fix does
No patch has been published by the vendor. The advisory recommends three mitigations: protect all `/user` routes with admin-only middleware, remove `role` from the model's `$fillable` array or validate it against a trusted whitelist, and implement Laravel Policies to authorize user creation and updates [ref_id=1].
Preconditions
- networkAttacker must have network access to the application's /user endpoint
- authAttacker must be an authenticated user of the application
Reproduction
Send a POST request to `/user` with the following body: `name=attacker&email=attacker@example.com&password=Password123&role=admin`. The application will create a new user with the `admin` role due to missing authorization controls [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- gist.github.com/c4ttr4ck/c891dd0fa550e910a1724cbd96d93a80mitreexploit
- vuldb.com/submit/813605mitrethird-party-advisory
- vuldb.com/vuln/365390mitrevdb-entrytechnical-description
- vuldb.com/vuln/365390/ctimitresignaturepermissions-required
News mentions
0No linked articles in our index yet.