Code-Projects Invoice System Laravel Improper Authorization Vulnerability

An improper authorization vulnerability has been identified in Code-Projects Invoice System version 1.0, specifically within the API endpoint '/item'. This vulnerability allows any user, including unauthenticated individuals, to access the endpoint and retrieve the complete catalog of items. The information disclosed includes internal names, prices, and descriptions, which could be exploited to gather sensitive business data.

Impact

Exploitation of this vulnerability leads to unauthorized access to the item catalog, disclosing sensitive business information such as pricing and product details. Additionally, the vulnerability could be used to collect valid item IDs for further exploitation through Insecure Direct Object Reference (IDOR) testing during invoice creation.

Reproduction

To reproduce this vulnerability, send a GET request to the '/item' API endpoint without any authentication. The response will include the full item catalog, revealing internal names, prices, and descriptions.

Remediation

It is recommended to require authentication for the '/item' route, limit the response to only include necessary fields for the authenticated user's context, and implement rate limiting to prevent bulk data scraping.