Sushmi-pal Invoice-System Profile Workflow profile improper authorization
Description
A vulnerability has been found in Sushmi-pal Invoice-System up to a0a3faa16dee2621b231ae227333f5761607283b. This vulnerability affects unknown code of the file /profile of the component Profile Workflow. Such manipulation of the argument ID leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
IDOR in Sushmi-pal Invoice-System's /profile endpoint allows unauthorized viewing and modification of any user's profile by manipulating the ID parameter.
Vulnerability
The vulnerability is an Insecure Direct Object Reference (IDOR) in the profile workflow of Sushmi-pal Invoice-System up to commit a0a3faa16dee2621b231ae227333f5761607283b. The /profile/{id} endpoint (GET and POST) accepts a user-controlled id parameter but fails to verify that the requested profile belongs to the authenticated user. This affects the Invoice System in Laravel version 1.0 [1]. The product uses rolling releases, so no specific version numbers are available for affected or fixed releases.
Exploitation
An attacker can exploit this vulnerability remotely after authenticating as any user. By simply changing the id in the URL (e.g., /profile/1 to /profile/2), the attacker can view or modify another user's profile data without authorization. The PoC demonstrates a POST request that updates the target profile's name and email [1]. No additional privileges or user interaction beyond a valid session are required.
Impact
Successful exploitation allows an attacker to access private profile information (confidentiality) and arbitrarily modify any user's name, email, and settings (integrity). This could lead to account takeover if the email is changed, enabling password reset bypass [1].
Mitigation
No official fix has been released; the vendor did not respond to the disclosure [1]. Recommended mitigations include binding profile actions to the authenticated user via auth()->user() instead of accepting an ID from the route, implementing authorization policies, and using non-sequential UUIDs to prevent enumeration [1]. As of the publication date, the vulnerability remains unpatched.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authorization check in the profile workflow allows a user-controlled ID to access or modify any user's profile."
Attack vector
An attacker can send a POST request to `/profile/{id}` with an arbitrary user ID, such as `/profile/1`, along with crafted form data like `name=Compromised+User&email=owned@example.com`. The server processes the request and updates the profile record for that ID without checking whether the authenticated user owns it [ref_id=1]. This allows any authenticated user to view or modify any other user's profile data remotely.
Affected code
The vulnerability exists in the `/profile/{id}` endpoint of the Profile Workflow. The route accepts a user-controlled `id` parameter via GET and POST methods, and the backend updates the record associated with that ID without verifying it belongs to the authenticated user [ref_id=1].
What the fix does
No patch has been released by the vendor. The recommended mitigation is to bind profile actions to the authenticated user via `auth()->user()` instead of accepting an ID from the route, implement authorization policies to ensure the user ID matches the authenticated session, and use non-sequential identifiers such as UUIDs to prevent easy enumeration of user profiles [ref_id=1].
Preconditions
- authAttacker must be an authenticated user of the Invoice System application.
- configThe application must expose the /profile/{id} endpoint accepting GET/POST methods.
- inputAttacker must know or enumerate a valid user ID to target.
Reproduction
1. Authenticate to the Invoice System application. 2. Send a POST request to `/profile/1` with body `name=Compromised+User&email=owned@example.com` and appropriate `Content-Type: application/x-www-form-urlencoded` header. 3. Observe that the profile for user ID 1 is updated without authorization checks [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- gist.github.com/c4ttr4ck/c35c134709743deb7dfad5b878295402mitreexploit
- vuldb.com/submit/813606mitrethird-party-advisory
- vuldb.com/vuln/365391mitrevdb-entrytechnical-description
- vuldb.com/vuln/365391/ctimitresignaturepermissions-required
News mentions
0No linked articles in our index yet.