Lost and Found Information System version 1.0 allows a staff level user to adjust administrative controls.
advisories | CVE-2023-3018
Vulnerability: Broken Access Control
Author: Akash Pandey
*Steps to re-produce*:
1. Go to https://site.com/admin/?page=user/list as staff user.
2. Notice that as a staff user I am able to access admin functionalities.
3. Now as a staff I am able to edit admin user’s password