Impact
The reported flaw lies in the role argument handling of the user registration endpoint in SourceCodester Inventory Management System. By sending a crafted value for the role parameter, an unauthenticated or low‑privileged client can override the intended permissions, resulting in improper access control. The vulnerability allows an attacker to elevate their privileges to those of a higher‑level role, undermining the integrity and confidentiality of the system’s data. The CVE description explicitly notes that remote exploitation is possible and that public proof‑of‑concept code is available.
Affected Systems
This issue affects SourceCodester Inventory Management System version 1.0, specifically the /api/users_handler.php component that manages user registration. No other product versions or vendors were listed as affected.
Risk and Exploitability
The flaw receives a CVSS score of 6.9, indicating a high severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a remote HTTP request to the API endpoint, where the attacker includes a manipulated role parameter. Given the public availability of an exploit, the risk is significant for organizations running this version without a fix.
OpenCVE Enrichment