Login Sign Up

CVE-2024-4819

4.3 MEDIUM
Authentication Bypass

📋 TL;DR

This vulnerability is an Insecure Direct Object Reference (IDOR) in Campcodes Online Laundry Management System 1.0 that allows unauthorized access to admin functions. Attackers can manipulate the 'type' parameter in admin_class.php to bypass authorization checks. This affects all deployments of version 1.0 of this software.

💻 Affected Systems

Products:
  • Campcodes Online Laundry Management System
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of version 1.0 are vulnerable. The system must have the admin_class.php file accessible.

📦 What is this software?

Online Laundry Management System by Campcodes

View all CVEs affecting Online Laundry Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of admin panel leading to data theft, system manipulation, or privilege escalation to full administrative control.

🟠

Likely Case

Unauthorized access to administrative functions, potentially allowing viewing or modification of user data, laundry orders, and system settings.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, potentially only exposing non-sensitive administrative interfaces.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires some authentication but bypasses authorization checks. Public proof-of-concept available on GitHub.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Input Validation and Authorization Check

all

Add proper authorization checks in admin_class.php to validate user permissions before processing requests.

Edit admin_class.php to add session validation and role-based access controls

Web Application Firewall Rule

all

Block requests with suspicious parameter manipulation targeting admin_class.php

WAF rule: Block requests to admin_class.php with unexpected 'type' parameter values

🧯 If You Can't Patch

  • Implement network segmentation to isolate the laundry management system from critical infrastructure
  • Enable detailed logging and monitoring of all access to admin_class.php for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Test if manipulating the 'type' parameter in requests to admin_class.php allows unauthorized access to admin functions

Check Version:

Check system documentation or configuration files for version information

Verify Fix Applied:

Verify that authorization checks properly validate user permissions before granting access to admin functions

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed authorization attempts to admin_class.php
  • Unauthorized access patterns to admin functions

Network Indicators:

  • HTTP requests to admin_class.php with manipulated 'type' parameter

SIEM Query:

source="web_logs" AND uri="*admin_class.php*" AND (param_type!="expected_value" OR status_code=200 AND user_role!="admin")

📊 Metadata

CVE ID: CVE-2024-4819
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-285
Published: May 14, 2024
Last Updated: February 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-4819, you might also want to check these:

CVE-2025-65041 10.0

CVE-2025-65041 is an improper authorization vulnerability in Microsoft Partner Center that allows un...

Same vulnerability type (CWE-285)
CVE-2021-37705 10.0

CVE-2021-37705 is an authorization bypass vulnerability in OneFuzz that allows authenticated users f...

Same vulnerability type (CWE-285)
CVE-2023-33189 10.0

CVE-2023-33189 is an authorization bypass vulnerability in Pomerium identity-aware access proxy. Att...

Same vulnerability type (CWE-285)