Bdtask SalesERP Broken Access Control Vulnerability Allowing Privilege Escalation

A critical broken access control vulnerability has been identified in Bdtask SalesERP versions prior to 20260116. The issue arises from the administrative endpoint, where the application improperly authorizes users by failing to validate roles or permissions associated with the 'ci_session' cookie. This flaw allows authenticated users to access restricted administrative functions remotely, leading to unauthorized actions such as viewing, editing, or deleting sensitive ERP data, managing financial records, and altering user roles. Exploitation of this vulnerability results in full administrative privileges on the ERP system.

Impact

Exploitation of this vulnerability allows authenticated users to gain administrative privileges, bypassing role-based access controls. This unauthorized access enables them to manipulate sensitive ERP data, manage user roles, and exercise full control over the ERP instance.

Reproduction

To reproduce this vulnerability, log in as a normal user and obtain the 'ci_session' cookie. Then, send a request to an administrative endpoint, such as '/add_role', using the session cookie. The server will respond with administrative content, demonstrating the authorization bypass.

Remediation

It is recommended to implement server-side role verification on all administrative endpoints, establish centralized role-based access control middleware, and conduct a comprehensive authorization audit.