Haxxorsid Stock-Management-System Missing Authentication Vulnerability in Employees API

A vulnerability exists in the Haxxorsid Stock-Management-System in all versions prior to the latest commit fbbbf213e9c93b87183a3891f77e3cc7095f22b0. The issue arises from improper access control in the MVC-based application, where authentication is only enforced at the view layer, leaving the controller layer exposed. This flaw allows unauthorized users to access sensitive information or perform critical operations via the /api/employees endpoint. The vulnerability can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows unauthorized access to the application's controller interface, enabling the retrieval of sensitive information or the execution of important operations without authentication.

Reproduction

To reproduce this vulnerability, send a request to the /api/employees endpoint without authentication. The absence of access control in the controller layer will allow access to sensitive information or operations.