An issue in CodeAstro Complaint Management System v.1.0 allows a remote attacker to escalate privileges via the delete_e.php component.
The vulnerability classified as CWE-281 (Improper Preservation of Permissions) affects the delete_e.php component, which improperly manages permissions during operations. A remote attacker can send a specially crafted request to this component, resulting in unauthorized acquisition of higher privileges in the application. The vulnerability does not require prior authentication or user interaction.
An attacker can obtain elevated privileges in the system, potentially allowing complete takeover of the application, reading, modifying, or deleting data managed by the system.
Patches available from the vendor should be applied according to references. Until the fix is implemented, it is recommended to restrict access to the delete_e.php component at the web server level (e.g., through a firewall or HTTP server rules) and monitor suspicious requests directed to this endpoint.
Codeastro Complaint Management System v.1.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCodeastro Complaint Management System
APPCodeastro1.0
Related vulnerabilities
SQL Injection w Codeastro Complaint Management System umożliwiający RCE i eskalację uprawnień
Incorrect access control in the endpoint /admin/m_delete.php of CodeAstro Complaint Management System v1.0 all...
An issue in CodeAstro Complaint Management System v.1.0 allows a remote attacker to escalate privileges via th...
An IDOR vulnerability in CodeAstro's Complaint Management System v1.0 (version with 0 updates) enables an atta...
SQL Injection w Codeastro Membership Management System via parametr ID