# CVE-2023-46449
Incorrect Access Control
VIDEO POC LINK
https://www.youtube.com/watch?v=H5QnsOKjs3s
Sourcecodester Free and Open Source inventory management system v1.0 is
vulnerable to Incorrect Access Control. An arbitrary user can change
the password of another user and takeover the account via IDOR in the
password change function.
STEPS TO REPRODUCE
1 Login to the user 1
2 visit the password change function.
3 configue the proxy with burp suit to intercept the request.
4 Send the password change request, and intercept the request and manupulate the user id to change another user password.
5. Forward the request and turn of the intercept.
6. Login to the other user with new password.
7. Observe that the account is successfully compromized.
Affected Component
Password change Functionality
Attack Type]
Remote
------------------------------------------
CVE Impact Other
Account Takeover
------------------------------------------
Attack Vectors
victim id is need which is easily enumerable.
------------------------------------------
Reference
https://youtu.be/H5QnsOKjs3s
------------------------------------------
Discoverer
Sajal Jat
[4.0K] /data/pocs/21a201da96ae68d1cda3c7bc8b70b527d2c7f6cb
└── [1.1K] README.md
0 directories, 1 file