Pbrong Hrms Improper Authorization Vulnerability in Resource Go File
Vulnerability
A critical vulnerability allowing unauthorized access to user information has been identified in Pbrong Hrms version 1.0.1. The issue resides in the Resource Go file, specifically within the HrmsDB function. The vulnerability arises from inadequate permission verification during database queries, enabling attackers to bypass authorization by manipulating cookies and accessing user data. This flaw can be exploited remotely.
Impact
Exploitation of this vulnerability leads to unauthorized access to user information, except for root and admin users.
Reproduction
To reproduce this vulnerability, send a GET request to the '/password/query/all' endpoint. Include a 'user_cookie' cookie with a value that bypasses the authorization check, such as 'ok_H14774_C001_1111111111111'. This will trigger the HrmsDB function, which will process the request without proper authorization, allowing access to the user information.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.