Exploit for Employee Performance Evaluation System 1.0 Insecure Direct Object Reference

Name: Exploit for Employee Performance Evaluation System 1.0 Insecure Direct Object Reference
Rating: 5 (423 reviews)

2020-12-09 | CVSS -0.5

## https://sploitus.com/exploit?id=PACKETSTORM:160415
# Exploit Title: Employee Performance Evaluation System 1.0 - Able to delete Admin user from Local account Unauthenticated Insecure Direct Object Reference (IDOR)  
# Date: 09/12/2020  
# Exploit Author: Manish Solanki  
# Vendor Homepage: https://www.sourcecodester.com  
# Software Link: https://www.sourcecodester.com/php/14617/employee-performance-evaluation-system-phpmysqli-source-code.html  
# Version: 1.0  
# Tested on: Windows 10/Kali Linux  
# PoC: https://drive.google.com/file/d/1LWU05ocapuoIL1nfqCF8DRu_T2gB-3sQ/view  
  
  
Steps to Reproduce:  
  
1) Login with Admin Credentials (Email: admin@admin.com Password: admin123)  
2) Create Local Employee Account  
3) Log Out from Admin Account  
  
4) Now login Local Employee Account  
5) Change url to ?page=user_list. Now I am able to delete / change admin user  
  
http://localhost/epes/index.php?page=user_list  
  
6) Now able to access admin privileges account and able to perform edit or delete operation from local account.