PT-2023-26707 · Unknown · Lost/Found Information System
Or4Ng.M4N
·
Published
2023-11-02
·
Updated
2025-11-11
·
CVE-2023-38965
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Lost and Found Information System version 1.0
Description
The issue allows account takeover via
username and password to a "/classes/Users.php?f=save" API endpoint.Recommendations
For Lost and Found Information System version 1.0, consider disabling access to the "/classes/Users.php?f=save" API endpoint until a patch is available. Restrict the use of
username and password parameters in this endpoint to minimize the risk of exploitation.Exploit
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Lost/Found Information System