Description
teklifolustur_app is a web-based PHP application that allows users to create, manage, and track quotes for their clients. Prior to commit dd082a134a225b8dcd401b6224eead4fb183ea1c, an Insecure Direct Object Reference (IDOR) vulnerability exists in the offer view functionality. Authenticated users can manipulate the offer_id parameter to access offers belonging to other users. The issue is caused by missing authorization checks ensuring that the requested offer belonged to the currently authenticated user. Commit dd082a134a225b8dcd401b6224eead4fb183ea1c contains a patch.
Published: 2026-01-19
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to other users' offers (IDOR)
Action: Immediate Patch
AI Analysis

Impact

An insecure direct object reference flaw was discovered in teklifolustur_app, a PHP web platform for quote management. Authenticated users can modify the offer_id parameter when viewing offers, bypassing missing authorization checks and retrieving offers that belong to other users. This flaw can expose confidential client data, allow data tampering, and potentially breach privacy requirements, as demonstrated by the CWE-639 classification.

Affected Systems

Vendor sibercii6-crypto provides the teklifolustur_app web application. The vulnerability affects the offer view functionality, present in all releases before the patch commit dd082a134a225b8dcd401b6224eead4fb183ea1c. No specific version range is listed, so all instances running the pre‑patch source code are potentially vulnerable.

Risk and Exploitability

The CVSS v3 score is 7.1, indicating high severity, while the EPSS score is below 1%, suggesting a low exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. Attackers must first authenticate to the system and can then manipulate HTTP request parameters to access other users’ offers. The lack of an official workaround implies a direct patch is required, and the low EPSS may reduce the immediacy of exploitation but does not mitigate the confidentiality risk.

Generated by OpenCVE AI on April 18, 2026 at 05:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the security patch from commit dd082a134a225b8dcd401b6224eead4fb183ea1c to the application codebase.
  • Deploy the updated version of teklifolustur_app or rebuild the application using the patched source.
  • Verify the patch implementation by attempting to access another user’s offer and confirming it is denied or shows an access denied error.
  • Enable logging of failed access attempts to detect potential abuse.

Generated by OpenCVE AI on April 18, 2026 at 05:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Sibercii6-crypto
Sibercii6-crypto teklifolustur App
Vendors & Products Sibercii6-crypto
Sibercii6-crypto teklifolustur App

Mon, 19 Jan 2026 19:00:00 +0000

Type Values Removed Values Added
Description teklifolustur_app is a web-based PHP application that allows users to create, manage, and track quotes for their clients. Prior to commit dd082a134a225b8dcd401b6224eead4fb183ea1c, an Insecure Direct Object Reference (IDOR) vulnerability exists in the offer view functionality. Authenticated users can manipulate the offer_id parameter to access offers belonging to other users. The issue is caused by missing authorization checks ensuring that the requested offer belonged to the currently authenticated user. Commit dd082a134a225b8dcd401b6224eead4fb183ea1c contains a patch.
Title teklifolustur_app's IDOR vulnerability allows unauthorized access to other users' offers
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Sibercii6-crypto Teklifolustur App
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-20T20:05:43.380Z

Reserved: 2026-01-16T15:46:40.842Z

Link: CVE-2026-23843

cve-icon Vulnrichment

Updated: 2026-01-20T19:37:13.692Z

cve-icon NVD

Status : Deferred

Published: 2026-01-19T19:16:04.660

Modified: 2026-06-17T10:22:11.460

Link: CVE-2026-23843

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:15:15Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key