Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A flaw has been found in code-projects Invoice System in Laravel 1.0. This impacts an unknown function of the file /user of the component User Management Handler. This manipulation causes improper authorization. Remote exploitation of the attack is possible. The exploit has been published and may be used.
AnalysisAI
Improper authorization in code-projects Invoice System in Laravel 1.0 allows authenticated remote attackers to bypass access controls on the User Management Handler (/user endpoint), gaining unauthorized read, write, and availability impact. The vulnerability has a published exploit available and affects all versions of the affected product line.
Technical ContextAI
The vulnerability resides in the User Management Handler component of the Invoice System in Laravel framework, specifically in the /user file endpoint. The root cause is classified as CWE-285 (Improper Authorization), indicating the application fails to properly validate that users are authorized to perform requested actions on user resources. This is a classic broken access control flaw common in Laravel applications where route middleware or policy authorization checks are either missing or insufficiently restrictive. An authenticated user can manipulate requests to access or modify user data they should not have permission to access, bypassing the intended authorization boundaries.
RemediationAI
Contact code-projects to obtain a patched version addressing the authorization bypass. In the interim, implement the following compensating controls: (1) Apply web application firewall rules to restrict POST/PUT/DELETE requests to the /user endpoint to only administrative users based on IP reputation or role headers, though this may impact legitimate administrative access; (2) Enforce strict input validation and rate-limiting on the /user endpoint to slow automated exploitation; (3) Review and strengthen Laravel route middleware and authorization policies on the User Management Handler - ensure all CRUD operations include proper authorization checks (e.g., Gate::authorize or Policy classes) that verify the authenticated user's role and ownership before allowing access; (4) Implement request logging and alerting on unauthorized access attempts to the /user endpoint to detect active exploitation; (5) Restrict application access to trusted networks only via firewall or VPN if operationally feasible. Note: these controls do not remediate the underlying flaw and should be temporary pending a vendor patch.
More in Invoice System In Laravel
View allImproper authorization in code-projects Invoice System in Laravel 1.0 allows remote unauthenticated attackers to bypass
Code-Projects Invoice System in Laravel 1.0 allows authenticated remote attackers to bypass authorization controls via m
Improper authorization in code-projects Invoice System in Laravel 1.0 allows authenticated remote attackers to bypass ac
Cross-site scripting (XSS) in code-projects Invoice System in Laravel 1.0 allows authenticated remote attackers to injec
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25778