Exploit Title: Privilege Escalations in Blood Donor Management System Using CodeIgniter - 1.0 Date: 9 Sep 2022 Exploit Author: RashidKhan Pathan Vendor Homepage: https://phpgurukul.com/blood-donor-management-system-using-codeigniter Software Link: https://phpgurukul.com/blood-donor-management-system-using-codeigniter Version: v1.0 Tested on: Windows 10, Kali Linux CVE : CVE-2022-38813
Description:
PHPGurukul Blood Donor Management System 1.0 does not properly restrict
access to admin/dashboard.php, which allows attackers to access all
data of users, delete the users, add and manage Blood Group, and Submit
Report.
Steps to Reproduce: 1: to Exploit the Vulnerability Attacker have to login with user account and attacker need to change user endpoint in to admin endpoint in url,
2: Eg: http://localhost/blood/user/dashboard Change to http://localhost/blood/admin/dashboard Proof Of Concept: https://drive.google.com/file/d/1lmU8zuyzyC9LHFXuXzamnkcLcjcfs0xE/view?usp=sharing
Comments