Critical Vulnerability Summary Vulnerability Overview Vulnerability Type: Authorization Bypass in DELETE operations Product: Alumni Management System 1.0 Vendor: SourceCodester CVSS v3.1 Base Score: 8.1 (High) Root Cause and Impact Root Cause: Five DELETE functions in lack authorization checks. Impact: - Any authenticated user can delete forum topics, career posts, comments, gallery items, and events created by other users (including administrators). - Leads to irreversible data loss and platform unavailability. - Potential compromise of audit trails. Key Technical Details CWE Classification: - Primary: CWE-862 - Missing Authorization - Secondary: CWE-284 - Improper Access Control Affected Components: - File Path: Five DELETE functions in (delete_forum, delete_career, delete_comment, delete_gallery, delete_event) - Directly accessible via AJAX endpoint ( ) without additional authorization Proof of Concept (PoC) PoC Examples: Includes multiple examples such as deleting forum topics, career posts, mass deletion attacks, and a Python automation script. Impact Analysis Technical Impact: - Data destruction, denial of service, audit trail compromise. Business Impact: - Reputation damage, legal risks, operational disruption, financial loss. Remediation Recommendations Immediate Mitigation: Disable DELETE endpoints, implement WAF rules. Secure Code Implementation: Add user authentication and authorization checks for delete operations. Comprehensive Fix: Apply authorization checks to all delete operations.