Vulnerability Summary Product Information - Vendor Homepage: https://www.bdtask.com/ - Software Link: https://www.bdtask.com/sales-erp-software.php - Affected Version: Unknown (issue verified on demo instance) - Bug Author: 4m3rr0r Vulnerability Details - Type: Broken Access Control leading to Privilege Escalation - Affected URLs: - /add_role - /bank_list - /stock - /purchase_list - and many more - Vulnerable Parameter: ci_session - Vulnerable Component: Backend RBAC (Role-Based Access Control) permission validation Vulnerability Type - CWE ID: CWE-285, CWE-639 - Severity Level: Critical - CVSS Score: 9.8 (Critical) Root Cause - The application does not enforce server-side authorization checks. Any authenticated user session is treated as valid for admin endpoints. No role validation is applied, resulting in full privilege escalation. Impact - Escalation from normal user to admin - Unauthorized access to all administrative modules - View, edit, delete sensitive ERP data - Creation/modification of roles - Full control of the ERP instance Description - A normal authenticated user can access restricted admin endpoints by simply using their own ci_session cookie. The server fails to verify whether the user is an administrator. Proof of Concept (PoC) - A video PoC demonstrates logging in as a normal user, using the session cookie to request admin endpoints, and successfully accessing admin functionalities. Suggested Remediation 1. Add server-side role verification on all admin endpoints. 2. Implement centralized RBAC middleware. 3. Bind ci_session to role/permission state. 4. Deny direct access to admin routes without authorization. 5. Conduct a full authorization audit. References - OWASP Top 10 -- A01 Broken Access Control - CWE-285 Improper Authorization - CWE-639 Authorization Bypass Through User-Controlled Key