Description
A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific penalty rates for overdue payments. While the frontend interface prevents users from entering negative numbers in the "Monthly Overdue Penalty" field, this constraint is not enforced on the backend. An authenticated attacker can bypass the client-side restriction by manipulating the HTTP POST request to submit a negative value for the penalty_rate.
Published: 2026-04-01
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Financial Loss via Negative Penalty Rates
Action: Assess Impact
AI Analysis

Impact

A business logic flaw in the SourceCodester Loan Management System permits an authenticated administrator to set a negative monthly overdue penalty when creating loan plans, because the backend does not enforce server‑side validation. The front‑end interface mistakenly blocks negative input, but an attacker can bypass this by forging the HTTP POST request. This enables borrowers to receive a reduced or even negative penalty, creating a financial advantage for the attacker and a monetary loss for the institution. The vulnerability is identified as CWE-602, reflecting unvalidated dependency logic.

Affected Systems

SourceCodester Loan Management System version 1.0 is the only product named in the CNA data. No other vendors or product versions are indicated.

Risk and Exploitability

The CVSS base score of 6.5 indicates moderate severity. Exploitation requires administrative credentials and the ability to submit crafted requests, while no EPSS data or KEV listing is available. Consequently, the probability of exploitation is uncertain, but the potential financial impact is clear once the flaw is leveraged. Administrators should monitor changes to loan plans and enforce server-side checks promptly.

Generated by OpenCVE AI on April 2, 2026 at 03:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the application to the latest vendor release if a patch exists that validates penalty values on the server side.
  • Implement server‑side validation that rejects any negative values for the monthly overdue penalty field.
  • Ensure that the admin interface accepts only numeric values greater than or equal to zero.
  • Review existing loan plans for negative penalty rates and correct them if discovered.
  • Enable two‑factor authentication for all administrative accounts to reduce credential compromise risk.
  • Monitor logs for unusual or unauthorized loan plan modifications and alert administrators.

Generated by OpenCVE AI on April 2, 2026 at 03:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 07:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Negative Overdue Penalty Allows Unauthorized Financial Gain

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific penalty rates for overdue payments. While the frontend interface prevents users from entering negative numbers in the "Monthly Overdue Penalty" field, this constraint is not enforced on the backend. An authenticated attacker can bypass the client-side restriction by manipulating the HTTP POST request to submit a negative value for the penalty_rate.
First Time appeared Oretnom23
Oretnom23 loan Management System
Weaknesses CWE-602
CPEs cpe:2.3:a:oretnom23:loan_management_system:1.0:*:*:*:*:*:*:*
Vendors & Products Oretnom23
Oretnom23 loan Management System
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Oretnom23 Loan Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-01T15:37:44.224Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30522

cve-icon Vulnrichment

Updated: 2026-04-01T15:35:50.703Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T14:16:50.027

Modified: 2026-04-01T18:44:04.007

Link: CVE-2026-30522

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:09:51Z

Weaknesses