Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific interest rates. While the frontend interface prevents users from entering negative numbers, this constraint is not enforced on the backend. An authenticated attacker can bypass the client-side restriction by manipulating the HTTP POST request to submit a negative value for the interest_percentage. This results in the creation of loan plans with negative interest rates.
AnalysisAI
SourceCodester Loan Management System v1.0 allows authenticated administrators to create loan plans with negative interest rates by submitting negative values in HTTP POST requests, bypassing client-side validation that lacks server-side enforcement. This business logic vulnerability enables attackers with administrative credentials to manipulate loan terms and potentially cause financial harm to the organization. Publicly available exploit code exists demonstrating the attack.
Technical ContextAI
The vulnerability stems from a classic client-server validation gap in web application architecture. The application implements interest rate constraints exclusively on the frontend (HTML/JavaScript form validation), which prevents users from entering negative numbers through the normal user interface. However, the backend API endpoint that processes loan plan creation (HTTP POST handler) performs no server-side validation of the interest_percentage parameter. An attacker with administrative authentication can use browser developer tools, curl, or other HTTP clients to craft a POST request with a JSON or form-encoded payload containing a negative value for interest_percentage, which the server accepts and persists to the database without validation. This bypasses the frontend security control entirely, representing a fundamental failure to implement defense-in-depth principles in input validation.
RemediationAI
Implement mandatory server-side validation of all user inputs, specifically validating that the interest_percentage parameter is a positive number (greater than zero) before accepting and storing loan plan data. This validation must occur in the backend API endpoint regardless of frontend controls. Code changes should include: (1) add a server-side check such as if (interest_percentage <= 0) { reject_request() } in the loan plan creation handler, (2) return a clear error message to the client if validation fails, and (3) log all rejected requests for audit purposes. Apply this remediation immediately to all instances of Loan Management System v1.0 in production. Additionally, conduct a data integrity audit to identify and correct any existing loan plans with negative interest rates already in the database. Future development should enforce server-side validation for all numeric and financial fields as a standard practice.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17583