CVE-2024-9082 – This vulnerability in SourceCodester Online Eye... (How to Fix)

Q: What is the severity of CVE-2024-9082?

CVE-2024-9082 has a CVSS score of 6.3 (MEDIUM). This vulnerability in SourceCodester Online Eyewear Shop 1.0 allows attackers to bypass authorization controls during user creation. By manipulating the 'Type' parameter with input '1', attackers can create unauthorized user accounts with elevated privileges. This affects all deployments of the vulnerable software version.

📋 TL;DR

This vulnerability in SourceCodester Online Eyewear Shop 1.0 allows attackers to bypass authorization controls during user creation. By manipulating the 'Type' parameter with input '1', attackers can create unauthorized user accounts with elevated privileges. This affects all deployments of the vulnerable software version.

💻 Affected Systems

Products:

SourceCodester Online Eyewear Shop

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the User Creation Handler component at /classes/Users.php?f=save

📦 What is this software?

Online Eyewear Shop by Oretnom23

View all CVEs affecting Online Eyewear Shop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers create administrative accounts, gaining full control over the application to steal data, modify content, or deploy additional malware.

🟠

Likely Case

Attackers create regular user accounts to access restricted functionality, potentially leading to data theft or privilege escalation.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to the application layer with no lateral movement.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub, making this easily weaponizable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.sourcecodester.com/

Restart Required: No

Instructions:

No official patch available. Check vendor website for updates or consider alternative software.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to reject unauthorized 'Type' parameter values

Modify /classes/Users.php to validate 'Type' parameter before processing

Access Control Restriction

all

Restrict access to /classes/Users.php endpoint to authorized users only

Add authentication check at beginning of Users.php file

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block requests with suspicious 'Type' parameter values
Monitor user creation logs for unauthorized account creation attempts

🔍 How to Verify

Check if Vulnerable:

Test if sending POST request to /classes/Users.php?f=save with Type=1 creates unauthorized user

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Verify that Type parameter validation rejects unauthorized values and requires proper authentication

📡 Detection & Monitoring

Log Indicators:

Multiple user creation attempts with Type=1 parameter
User creation from unexpected IP addresses

Network Indicators:

POST requests to /classes/Users.php?f=save with Type=1 parameter

SIEM Query:

web_access_logs WHERE url_path CONTAINS '/classes/Users.php' AND parameters CONTAINS 'Type=1'

📊 Metadata

CVE ID: CVE-2024-9082

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-266

Published: September 22, 2024

Last Updated: September 30, 2025

🔗 References

https://github.com/41lai/cve/blob/main/add.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.278252 Permissions Required,Third Party Advisory,Vendor Advisory
https://vuldb.com/?id.278252 Third Party Advisory,Vendor Advisory
https://vuldb.com/?submit.411565 Third Party Advisory,Vendor Advisory
https://www.sourcecodester.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-9082, you might also want to check these: