Indotalent Asp.Net Core Inventory Order Management System Administrative Interface Redirect Vulnerability

A broken access control vulnerability exists in Indotalent's Asp.Net Core Inventory Order Management System, affecting versions through 9.20250118. This vulnerability allows low-privileged authenticated users to gain full administrative access by exploiting a client-side redirect bypass. The application improperly renders privileged content before server-side authorization is enforced, creating an opportunity for privilege escalation.

Impact

Exploitation of this vulnerability leads to unauthorized administrative access, allowing users to perform privileged actions such as managing user accounts and accessing sensitive administrative functions.

Reproduction

To reproduce this vulnerability, log in with a low-privileged account. Attempt to access an administrative endpoint, which will trigger an 'Unauthorized' response and a redirect to the login page. However, the authentication token remains valid, allowing access to the admin interface by interrupting the redirect with browser navigation controls or developer tools.

Remediation

It is recommended to implement server-side authorization checks before rendering administrative content, and to remove reliance on client-side redirects for access control.