PHPGurukul Employee Leave Management System Insecure Direct Object Reference Vulnerability

A Insecure Direct Object Reference (IDOR) vulnerability has been identified in PHPGurukul Employee Leave Management System version 2.1. The issue resides in the leave-details.php file, where an authenticated user can manipulate the leaveid parameter in the URL to access leave application details of other users. This vulnerability results in unauthorized disclosure of sensitive information regarding employees' leave requests.

Impact

Exploitation of this vulnerability allows authenticated users to access and disclose leave application details of other employees without authorization.

Reproduction

To reproduce this vulnerability, log in as a valid employee user and navigate to the leave-details.php page. Once there, change the leaveid parameter in the URL to different values. The leave application details of other users will be disclosed without authorization.