Authored by Manish Solanki

Employee Performance Evaluation System version 1.0 suffers from an insecure direct object reference vulnerability.

# Exploit Title: Employee Performance Evaluation System 1.0 - Able to delete Admin user from Local account Unauthenticated Insecure Direct Object Reference (IDOR)
# Date: 09/12/2020
# Exploit Author: Manish Solanki
# Vendor Homepage:
# Software Link:
# Version: 1.0
# Tested on: Windows 10/Kali Linux
# PoC:

Steps to Reproduce:

1) Login with Admin Credentials (Email: [email protected] Password: admin123)
2) Create Local Employee Account
3) Log Out from Admin Account

4) Now login Local Employee Account
5) Change url to ?page=user_list. Now I am able to delete / change admin user


6) Now able to access admin privileges account and able to perform edit or delete operation from local account.