SourceCodester Indian Invoicing System Backend Endpoint access control
Description
A vulnerability was determined in SourceCodester Indian Invoicing System 1.0. Impacted is an unknown function of the component Backend Endpoint. Executing a manipulation can lead to improper access controls. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. Multiple endpoints are affected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SourceCodester Indian Invoicing System 1.0 lacks role-based access control on admin endpoints, allowing authenticated users to modify sensitive data.
Vulnerability
The vulnerability resides in the SourceCodester Indian Invoicing System version 1.0. Multiple backend endpoints, including /home.php, /category.php, /state.php, and /cpyprofile.php, are intended for administrative use but lack proper role validation. The application only checks for a valid session via checkUserSession("userId"), without verifying whether the user has administrative privileges. Consequently, any authenticated user can access these pages and perform inline editing of core business records [2].
Exploitation
An attacker with a valid non-admin session (e.g., a staff account) can directly request the vulnerable endpoints via HTTP GET. No additional privileges or user interaction are required. The attack is remote, requiring only network access to the application [2].
Impact
Successful exploitation allows a low-privilege user to modify customer information, categories, states, and company profile data. This compromises data integrity and can lead to business abuse, such as altering tax details or company addresses [2].
Mitigation
As of the publication date, no patch has been released by SourceCodester. Mitigation recommendations include enforcing role-based access control on all admin pages, auditing all CRUD views to ensure backend role checks exist, and logging privileged actions for auditability [2].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing role-based authorization check on administrative endpoints allows any authenticated user to access and modify sensitive data."
Attack vector
An attacker who has authenticated with a low-privilege (non-admin) session can directly request any of the administrative endpoints — `/home.php`, `/category.php`, `/state.php`, or `/cpyprofile.php` — by supplying the valid session cookie [ref_id=1]. The server performs no role check beyond confirming the session exists, so the attacker can view and modify customers, categories, states, and company profile data [ref_id=1]. The attack is launched remotely over HTTP with no special network preconditions [ref_id=1].
Affected code
The vulnerable endpoints are `/home.php`, `/category.php`, `/state.php`, and `/cpyprofile.php` [ref_id=1]. The backend checks only for a valid session via `checkUserSession("userId")` and does not verify that the user holds an administrative role [ref_id=1].
What the fix does
No patch has been published for this vulnerability [ref_id=1]. The advisory recommends enforcing role-based access control on all admin pages, adding backend role checks to every sensitive CRUD view, and logging privileged actions for auditability [ref_id=1]. Until a fix is applied, the application remains vulnerable to unauthorized data modification by any authenticated user.
Preconditions
- authAttacker must possess a valid, authenticated session cookie (any role, including non-admin).
- networkThe target endpoints must be reachable over the network (HTTP).
Reproduction
1. Log in to the application with a non-admin (staff) account and capture the `PHPSESSID` cookie. 2. Send a GET request to `/home.php` (or `/category.php`, `/state.php`, `/cpyprofile.php`) with the captured cookie: `GET /home.php HTTP/1.1` `Host: localhost` `Cookie: PHPSESSID=
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- gist.github.com/c4ttr4ck/db84fc2af3e542acf1eab685264bcfc1mitreexploit
- vuldb.com/submit/813608mitrethird-party-advisory
- vuldb.com/vuln/365393mitrevdb-entry
- vuldb.com/vuln/365393/ctimitresignaturepermissions-required
- www.sourcecodester.commitreproduct
News mentions
0No linked articles in our index yet.