Privilege escalation in code-projects Simple Car Rental System 1.0 lets an authenticated low-privilege user forge a high-privilege (administrator) session and invoke sensitive operations reserved for privileged accounts. The flaw is a broken access-control / authentication-bypass issue (CWE-284) with a publicly available exploit, though it is not listed in CISA KEV and carries a low EPSS probability (0.38%, 30th percentile), indicating limited real-world exploitation to date. Any user able to authenticate at a basic level can effectively take over administrative functionality.
Authentication bypass via SQL injection in code-projects Computer Laboratory System 1.0 allows a remote unauthenticated attacker to log in as a valid user by submitting a crafted 'universal password' in the login form's Password field. The injected SQL manipulates the login query so the authentication check always evaluates true, granting access without valid credentials. Publicly available exploit code exists (PoC published on GitHub), though the low EPSS score (0.42%, 34th percentile) and absence from CISA KEV indicate no confirmed active exploitation at time of analysis.