Share
## https://sploitus.com/exploit?id=PACKETSTORM:172653
Vulnerability: Broken Access Control  
Author: Akash Pandey  
CVE: CVE-2023-3018  
Source:  
https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html  
  
*Steps to re-produce*:  
  
1. Go to https://site.com/admin/?page=user/list as staff user.  
  
2. Notice that as a staff user I am able to access admin functionalities.  
  
3. Now as a staff I am able to edit admin user’s password  
  
POC:  
  
https://medium.com/@akashpandey380/lost-and-found-information-system-v1-0-idor-cve-2023-977966c4450d