The vulnerability in SourceCodester Online Boat Reservation System 1.0 allows attackers to bypass proper authorization checks on administrative endpoints. Because the system treats requests to these endpoints as authorized without verifying user identity or roles, a remote adversary can perform privileged actions that should be restricted to administrators. The flaw is classified under CWE-266 and CWE-285 and has a CVSS base score of 5.3, indicating a moderate risk if exploited. The vulnerability is exploitable from any client that can reach the affected endpoints, and the publicly disclosed exploit demonstrates that the flaw can be used to perform unauthorized administrative operations.

This issue affects the SourceCodester Online Boat Reservation System product, specifically version 1.0. No other product versions are known to be impacted; the product is referenced by the vendor as sourcecodester:online_boat_reservation_system. The attack surface includes multiple administrative endpoints within the application, allowing broad misuse if not mitigated.

Although the EPSS score is not available and the vulnerability is not listed in CISA KEV, the remote nature of the attack and the ability to tamper with multiple endpoints represent a tangible threat to confidentiality and integrity. The CVSS score of 5.3 and lack of restrictions on the affected interfaces suggest that a determined attacker could exploit this flaw to gain unauthorized administrative privileges, potentially altering reservations, accessing sensitive user data, or modifying system configuration. Patch or mitigation is recommended before any evidence of exploitation is observed.