{"id":35313,"date":"2024-11-01T12:25:31","date_gmt":"2024-11-01T06:55:31","guid":{"rendered":"https:\/\/www.getastra.com\/blog\/?p=35313"},"modified":"2024-11-08T19:58:54","modified_gmt":"2024-11-08T14:28:54","slug":"broken-access-control-in-committee-management-system","status":"publish","type":"post","link":"https:\/\/www.getastra.com\/blog\/vulnerability\/broken-access-control-in-committee-management-system\/","title":{"rendered":"Broken Access Control in Committee Management System"},"content":{"rendered":"\n

<\/a><\/p>\n\n\n

\n\n

Product Name:<\/strong> Class Committee Management System
Vulnerability:<\/strong> Broken Access Control
Vulnerable Version: <\/strong>Will be disclosed soon
CVE:<\/strong> Will be disclosed soon<\/p>\n\n<\/div>\n\n\n

<\/p>\n\n\n\n

On 24 September 2024, the security researchers at Astra discovered a critical broken access control vulnerability in the Class Committee Management System, an open-source project. The web-based system allows users to manage files, schedule meetings, generate reports, and access other management features.<\/p>\n\n\n\n

A broken access control vulnerability<\/a> occurs when the application does not enforce proper permissions and restrictions. In this instance, a lower-privileged user could bypass the permissions and escalate themselves to get unauthorized access to restricted functionalities or data.<\/p>\n\n\n\n

<\/span>How Does A Broken Access Control Vulnerability Occur?<\/strong><\/span><\/h2>\n\n\n\n

Step -1: Insufficient Permission<\/h3>\n\n\n\n

The application does not enforce proper permission restrictions for lower-privilege users, allowing attackers to leverage the Broken Access Control and exploit the system\u2019s lack of protection.<\/p>\n\n\n\n

Step -2: Privilege Escalation via URL Manipulation<\/h3>\n\n\n\n

Attackers can modify the URLs or other request parameters, leading to unauthorized access. For example:<\/p>\n\n\n\n