# Exploit Title: Employee Performance Evaluation System 1.0 - Able to delete Admin user from Local account Unauthenticated Insecure Direct Object Reference (IDOR) # Date: 09/12/2020 # Exploit Author: Manish Solanki # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14617/employee-performance-evaluation-system-phpmysqli-source-code.html # Version: 1.0 # Tested on: Windows 10/Kali Linux # PoC: https://drive.google.com/file/d/1LWU05ocapuoIL1nfqCF8DRu_T2gB-3sQ/view Steps to Reproduce: 1) Login with Admin Credentials (Email: admin@admin.com Password: admin123) 2) Create Local Employee Account 3) Log Out from Admin Account 4) Now login Local Employee Account 5) Change url to ?page=user_list. Now I am able to delete / change admin user http://localhost/epes/index.php?page=user_list 6) Now able to access admin privileges account and able to perform edit or delete operation from local account.