Executive Summary

The CVE-2026-6201 vulnerability is a Broken Access Control issue classified as an Insecure Direct Object Reference (IDOR) in the CodeAstro Online Job Portal version 1.0.

It exists in the file /jobs/job-delete.php and involves the id parameter passed via a GET request.

The flaw allows any authenticated employer to delete job postings created by other employers by manipulating the id parameter without proper ownership verification.

• The application fails to verify if the authenticated user owns the job posting before processing a delete request.
• By intercepting and modifying the id parameter in the delete request, an attacker can delete arbitrary job postings.

For example, an attacker can log in as one employer, intercept their own delete request, change the id parameter to another employer's job posting ID, and cause the server to delete that other employer's job posting.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows any authenticated employer on the platform to permanently delete job postings created by other employers.

The impact includes unauthorized data loss and disruption of service on the job portal platform.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring and intercepting HTTP GET requests to the endpoint `/jobs/job-delete.php` that include the `id` parameter. Specifically, look for requests where the `id` parameter is manipulated to delete job postings that do not belong to the authenticated user.

Using a web proxy tool like Burp Suite, you can intercept and analyze delete requests to check if the `id` parameter can be modified to delete other users' job postings without proper authorization.

• Intercept a delete request with a valid session cookie.
• Modify the `id` parameter in the GET request to a job ID that belongs to another user.
• Forward the request and observe if the job posting is deleted.

Example command using curl to simulate a delete request (replace session cookie and job ID accordingly):

• curl -X GET 'https://[target-domain]/online-job-portal-php-mysql/jobs/job-delete.php?id=[job_id]' -H 'Cookie: PHPSESSID=[session_id]'

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include implementing proper access control checks on the server side to verify that the authenticated user owns the job posting before allowing deletion.

Specifically:

• Modify the `/jobs/job-delete.php` script to check ownership of the job posting against the authenticated user's ID before processing the delete request.
• Restrict the `id` parameter so that users can only delete their own job postings.
• Implement server-side validation and authorization checks rather than relying on client-side controls.
• Monitor logs for suspicious delete requests with manipulated `id` parameters.

Additionally, consider informing users about the vulnerability and applying patches or updates from the software vendor if available.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows any authenticated employer to delete job postings created by other employers without proper authorization, leading to unauthorized data loss and disruption of service.

Such improper access control and unauthorized data manipulation could potentially violate data protection principles found in common standards and regulations like GDPR and HIPAA, which require ensuring data integrity, confidentiality, and proper access controls.

Specifically, the failure to verify ownership before deleting job postings may result in non-compliance with requirements to protect personal or sensitive data from unauthorized alteration or deletion.

Useful 0 Not Useful 0