Critical Vulnerability Information Title code-projects Contact Management System in PHP - Unknown Authentication Bypass Vulnerability Description The contact management system completely lacks authentication and authorization controls on its CRUD endpoints. Core write and delete operations (such as , , and ) perform database modifications without verifying the caller’s identity or permissions. Additionally, the web UI exposes unauthorized GET links that could trigger destructive actions (e.g., ). As a result, any remote unauthenticated user can create, modify, or delete contacts and view the contact list. Affected Components — Unauthenticated creation of contacts via POST — Unauthenticated modification via POST — Unauthenticated deletion via GET (no CSRF protection) , — Display and edit interfaces assumed to be for authenticated users Reproduction Example 1. Access to view contacts (no authentication required). 2. Submit a POST request to with form fields (e.g., first, last, phone) to create a new record — the request succeeds without credentials. 3. Trigger deletion by accessing — the record is deleted without authentication or CSRF token. 4. Submit a POST request to with and updated fields — modification succeeds without authentication. Impact Full unauthorized access to application data (read/write/delete). Compromised data integrity, data loss, and business disruption. Attackers can combine this with XSS/CSRF to escalate impact (e.g., session hijacking, persistent backdoors). If database credentials (hardcoded in source code) are leaked, sensitive data exposure may occur. References/Evidence Review source code of , , and : uses to execute database deletion.