Tutorials-Website Employee Management System Improper Authorization Vulnerability

A vulnerability allowing improper authorization has been identified in the Tutorials-Website Employee Management System, specifically in versions prior to the commit 611887d8f8375271ce8abc704507d46340837a60. The issue arises in the file '/admin/all-applied-leave.php', where an unknown function of the HTTP Request Handler component fails to properly authorize user actions. This vulnerability allows arbitrary users to perform restricted tasks, such as approving leave, without the necessary authentication. The application typically requires users to log in before accessing its features, but this vulnerability bypasses that requirement, enabling unauthorized actions to be executed remotely.

Impact

Exploitation of this vulnerability allows for broken access control, where an unauthorized user can perform actions reserved for authenticated users, potentially leading to unauthorized changes in the application, such as manipulating leave approvals.

Reproduction

To reproduce this vulnerability, access the application as an anonymous user without logging in. Navigate to the '/admin/all-applied-leave.php' page and send a POST request to this endpoint. Include parameters to approve leave, such as 'approved', 'comment', and 'id'. This request will be processed without the need for authentication, demonstrating the improper authorization flaw.