Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A weakness has been identified in SourceCodester Ship Ferry Ticket Reservation System 1.0. This affects an unknown function of the file /admin/. This manipulation of the argument page causes improper authorization. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.
AnalysisAI
Improper authorization in SourceCodester Ship Ferry Ticket Reservation System 1.0 allows authenticated remote attackers with low privileges to manipulate the page argument on the /admin/ endpoint, bypassing access controls and gaining unauthorized access to administrative functionality. The CVSS 4.0 vector (PR:L) confirms exploitation requires a valid low-privileged account rather than unauthenticated access. Publicly available exploit code exists (E:P in CVSS 4.0 vector, corroborated by a published Medium writeup), though the overall severity is rated Low (2.1) due to limited confidentiality, integrity, and availability impact with no scope change to subsequent systems.
Technical ContextAI
The affected product is SourceCodester Ship Ferry Ticket Reservation System 1.0, a PHP-based open-source reservation application distributed via sourcecodester.com. The root cause is classified as CWE-266 (Incorrect Privilege Assignment), meaning the /admin/ endpoint does not properly validate the privilege level of the authenticated session when processing the page query parameter. Rather than enforcing role-based access controls server-side, the application appears to trust client-supplied page values to gate administrative views, allowing a low-privileged user to traverse to restricted admin pages by crafting parameter values outside their intended scope. No CPE string was provided in the source data, but the product version is confirmed as 1.0.
RemediationAI
No vendor-released patch has been identified at time of analysis; the vulnerability was reported through VulDB (submission 831870) and no corresponding advisory from SourceCodester has been referenced. As a compensating control, restrict access to the /admin/ directory at the web server level using IP allowlisting (e.g., via Apache Require ip directives or nginx allow/deny blocks) to ensure only trusted administrator IPs can reach the endpoint - note this trades off flexibility for remote admin access. Additionally, enforce strict server-side role validation for all page parameter values in the admin controller, rejecting any value not explicitly mapped to the authenticated user's privilege level. Operators running this system in internet-facing environments should consider taking the admin interface offline or behind a VPN until a code-level fix is available. See the VulDB entry at https://vuldb.com/vuln/368366 and the researcher's writeup at https://medium.com/@hemantrajbhati5555/missing-authorization-in-sourcecodester-ship-ferry-ticket-reservation-system-leads-to-unauthorized-7783134d6596 for technical details.
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34772
GHSA-cf7f-3hv9-8wph