# Exploit Title: Employee Performance Evaluation System 1.0 - Able to delete Admin user from Local account Unauthenticated Insecure Direct Object Reference (IDOR)  
# Date: 09/12/2020  
# Exploit Author: Manish Solanki  
# Vendor Homepage:  
# Software Link:  
# Version: 1.0  
# Tested on: Windows 10/Kali Linux  
# PoC:  
Steps to Reproduce:  
1) Login with Admin Credentials (Email: Password: admin123)  
2) Create Local Employee Account  
3) Log Out from Admin Account  
4) Now login Local Employee Account  
5) Change url to ?page=user_list. Now I am able to delete / change admin user  
6) Now able to access admin privileges account and able to perform edit or delete operation from local account.