CVE-2026-5330：Best Courier Management System权限绕过

CVE-2026-5330 影响 SourceCodester 的 Mayurik Best Courier Management System 1.0 版本。在用户删除处理程序中存在访问控制不足的问题，具体位于 /ajax.php?action=deleteuser 文件。攻击者可以通过操纵 'ID' 参数在未经授权的情况下删除用户，从而可能危及用户数据完整性并获得未授权的系统访问权限。CVSS 评分达到 6.5，表明风险处于中等水平。远程利用是可能的，并且该漏洞已被公开披露，增加了遭受攻击的可能性。

Organizations utilizing Best Courier Management System version 1.0, particularly those with limited security expertise or those hosting the system on shared hosting environments, are at significant risk. Systems with default configurations or those lacking regular security updates are especially vulnerable to exploitation.

• generic web: Use curl to test the /ajax.php?action=delete_user endpoint with various 'ID' parameters. Look for successful deletion responses without proper authentication.

curl 'http://your-target/ajax.php?action=delete_user&id=1' 

• php: Examine the /ajax.php file for missing or inadequate access control checks before deleting users. Search for code patterns that directly use the 'ID' parameter without validation. • generic web: Monitor web server access logs for requests to /ajax.php?action=delete_user originating from unusual IP addresses or containing suspicious 'ID' values.

1. 2026-04-02Disclosure

   disclosure

1. 已保留2026-04-01
2. 发布日期2026-04-02
3. EPSS 更新日期2026-04-10

SourceCodester 目前尚未针对 CVE-2026-5330 提供官方修复程序。最直接的缓解措施是卸载或升级到 Mayurik 的安全版本，如果可用。作为临时措施，应实施更严格的数据库和 Web 服务器访问控制，以限制利用的潜在影响。监控服务器日志中与用户删除相关的可疑活动至关重要。使用 Mayurik 的系统管理员应评估风险并为其环境应用适当的安全措施。