SAP Information System version 1.0.0 suffers from an improper authentication vulnerability that allows a malicious user to create an administrative account without needing to authenticate. The POST request is sent to the /SAP_Information_System/controllers/add_admin.php endpoint. The problem occurs due to lack of session verification in the request.
81b2d35c550ef4f8db3fd0aac42c15232a707b20d75b5eeabeefd52e176de1e6