CodeAstro Membership Management System 1.0 contains a missing authentication vulnerability in delete_members.php that allows unauthenticated attackers to delete arbitrary member records via the id parameter.
The attacker sends an HTTP request to the delete_members.php endpoint, providing the member record identifier in the 'id' parameter. The file does not verify the identity or permissions of the requester, so the deletion operation is performed without any access control. This allows a person without any account in the system to manipulate the database.
An attacker without any privileges can permanently delete any member records from the system, leading to data loss and disruption of application continuity. In extreme cases, it is possible to completely clear the organization's member database.
Patches available from the vendor should be applied in accordance with the references. Until the fix is implemented, it is recommended to restrict network access to the delete_members.php file at the web server or firewall level and implement authentication requirements for all data-modifying operations.
CodeAstro Membership Management System version 1.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCodeastro Membership Management System
APPCodeastro1.0
Related vulnerabilities
SQL Injection w Codeastro Membership Management System via parametr ID
SQL Injection w CodeAstro Membership Management System via add_type.php
Missing authentication and authorization in print_membership_card.php in CodeAstro Membership Management Syste...
CodeAstro Membership Management System 1.0 is vulnerable to SQL Injection via the parameter 'email' in the Log...
The Directory Listing in /uploads/ Folder in CodeAstro Membership Management System 1.0 exposes the structure ...