SourceCodester Pet Grooming Management Software, Improper Authorization, CVE-2026-3737 (MEDIUM)

Listen to this Post

A vulnerability exists in SourceCodester Pet Grooming Management Software 1.0 within the User Creation Handler component, specifically in the `add_user.php` file. The issue stems from improper authorization checks during the user creation process. An attacker with low-level privileges can manipulate parameters in the request to this script. By exploiting this flaw, the attacker can create new users or assign elevated privileges beyond their authorized access level. Since the application fails to verify if the authenticated user has the right to perform such administrative actions, the manipulation leads to privilege escalation. The attack vector is network-based, requiring no user interaction and having low attack complexity. Public disclosure of the exploit means technical details are available, increasing the risk of active exploitation. The vulnerability is classified under CWE-266 (Incorrect Privilege Assignment) and CWE-285 (Improper Authorization). This could allow unauthorized personnel to gain backend access, potentially leading to data breaches or system takeover. The CVSS 4.0 base score is 5.3 (Medium), indicating a moderate but tangible threat to the software’s security posture.

dailycve form:

Platform: SourceCodester Pet Grooming Management Software
Version: 1.0
Vulnerability: Improper authorization
Severity: MEDIUM
date: 03/08/2026

Prediction: Patch expected soon

What Undercode Say:

Analytics:

  • CVSS 4.0 Score: 5.3 (Medium) with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P.
  • CWE: CWE-266 (Incorrect Privilege Assignment) and CWE-285 (Improper Authorization).
  • Attack Requirements: Requires network access and low-privileged credentials. No user interaction needed.
  • Impact: Low impact on confidentiality, integrity, and availability, but the presence of a public exploit elevates the urgency.
  • Exploit Public: Yes (Confirmed by VulDB and NVD references).

Bash Commands and Testing:

Example using curl to test for improper authorization in add_user.php
Attempt to create an admin user with a low-privilege session cookie
curl -X POST "http://target-site.com/pet_grooming/admin/add_user.php" \
-H "Cookie: PHPSESSID=low_privilege_session_value" \
-d "username=hacker&password=pass123&role=Admin&submit=1"
Check if the response indicates success or redirects to admin panel
A 302 redirect to the user list or a success message may indicate vulnerability

How Exploit:

The exploit involves sending a crafted HTTP POST request to the `add_user.php` endpoint. An attacker, authenticated with a low-privilege account (e.g., Staff or Employee), adds or modifies parameters in the request to set their new user’s role to “Admin”. Because the backend script lacks proper checks to verify if the requesting user has administrative privileges, it processes the request and creates a privileged user .

Protection from this CVE:

  1. Input Validation: Implement strict server-side validation to ensure the authenticated user has the correct role (e.g., Admin) before allowing access to add_user.php.
  2. Access Control Lists (ACLs): Enforce role-based access control (RBAC) checks on every administrative function.
  3. Apply Patch: Monitor the official SourceCodester website or VulDB for an official patch or updated version of the software.
  4. Code Review: Modify the source code to include an authorization check at the beginning of the `add_user.php` script:
    // Example PHP fix
    session_start();
    if ($_SESSION['role'] !== 'Admin') {
    header('Location: unauthorized.php');
    exit();
    }
    

Impact:

Successful exploitation allows an attacker to create arbitrary users with administrative rights. This can lead to full system compromise, including data theft (confidentiality), data manipulation (integrity), and service disruption (availability) by the newly created admin account.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top