Tutorials-Website Employee Management System IDOR Vulnerability in delete-user.php

A critical Insecure Direct Object Reference (IDOR) vulnerability has been identified in the Tutorials-Website Employee Management System version 1.0. The issue resides in the file delete-user.php within the admin directory. The vulnerability allows for improper authorization by manipulating the ID parameter, enabling remote deletion of user accounts without administrative consent. This flaw could lead to unauthorized data access, data manipulation, account takeover, privilege escalation, and a denial-of-service condition by removing essential user accounts.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of user accounts, including administrators, disrupting access to the management system and associated tasks and verifications.

Reproduction

To reproduce this vulnerability, access the delete-user.php file in the admin directory. No administrative privileges are required to use this endpoint. Simply input an employee ID parameter to delete the corresponding account. For example, an ID of '8' would delete the account of the employee named Mukesh.