CVE-2026-10255
Improper Access Control in Pharmacy Sales and Inventory System
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sourcecodester | pharmacy_sales_and_inventory_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the SourceCodester Pharmacy Sales and Inventory System 1.0, specifically in the sell_statement function of the ShowForm.php file. The issue is caused by improper access control due to a flawed authentication check where an OR operator (||) is used instead of an AND operator (&&). This logical error causes the condition to always evaluate to true, allowing unauthenticated users to bypass access controls and access sensitive endpoints.
As a result, attackers can remotely exploit this flaw to access sensitive sales and supplier payment records without logging in.
How can this vulnerability impact me? :
Exploiting this vulnerability allows attackers to directly access sensitive data such as sales dates, invoice numbers, medicine details, pricing, quantities, financial summaries, supplier names, and payment information.
- Potential financial fraud due to unauthorized access to financial records.
- Privacy violations from exposure of sensitive business and supplier information.
- Competitive harm as confidential sales and supplier data can be leaked.
- Regulatory non-compliance risks arising from improper data protection.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability leads to unauthorized access to sensitive data, which can result in violations of data protection regulations such as GDPR and HIPAA. Exposure of personal or financial information without proper access controls undermines compliance requirements related to confidentiality, integrity, and security of data.
Such breaches can cause legal and financial consequences due to non-compliance with these standards.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing access to the vulnerable endpoints without authentication. Specifically, attempts to access `/ShowForm/sell_statement/main` and `/ShowForm/supplier_payment/main` without valid login credentials can reveal if access controls are improperly enforced.
A simple detection method is to use HTTP request tools like curl or wget to send requests to these endpoints and observe if sensitive data is returned without authentication.
- curl -i http://<target>/ShowForm/sell_statement/main
- curl -i http://<target>/ShowForm/supplier_payment/main
If these commands return sensitive sales or supplier payment data without requiring login, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves correcting the flawed access control logic in the `ShowForm.php` file by replacing the incorrect OR operator (`||`) with an AND operator (`&&`) in the authentication check.
Additional steps include implementing role-based access control (RBAC), enforcing session validation, adding authentication middleware, and applying the principle of least privilege to restrict access.
Performing regular security audits is also recommended to detect and prevent similar vulnerabilities in the future.