Summary

A critical vulnerability exists in the password reset functionality of the SourceCodester Inventory Management System. An unauthenticated attacker can reset the password of any user—including administrator accounts—without verification. This leads to complete account takeover and full system compromise.

Affected Versions

• All versions publicly available on SourceCodester
• Specific version numbers are not provided by the vendor (e.g., 1.0, 1.1, etc.)

Vulnerability Type

• CWE‑640: Weak Password Recovery Mechanism
• CWE‑306: Missing Authentication for Critical Function
• CWE‑284: Improper Access Control
• CWE‑639: IDOR (Insecure Direct Object Reference)

Severity

Critical — CVSS 3.1 Score: 9.8

Vector:

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Root Cause