CVE-2024-9082 Overview
CVE-2024-9082 affects SourceCodester Online Eyewear Shop 1.0, a PHP-based e-commerce application developed by oretnom23. The vulnerability resides in the User Creation Handler component at /classes/Users.php?f=save. An attacker can manipulate the Type argument with the value 1 to bypass authorization controls during user creation. The flaw enables remote exploitation without requiring elevated privileges. Public disclosure of the exploit increases the likelihood of opportunistic attacks against exposed installations. The issue is classified under [CWE-266] Incorrect Privilege Assignment and [CWE-863] Incorrect Authorization.
Critical Impact
Remote attackers with low privileges can manipulate the Type parameter during user creation to escalate to administrative roles, compromising the application's access control model.
Affected Products
- SourceCodester Online Eyewear Shop 1.0
- oretnom23 online_eyewear_shop 1.0
- CPE: cpe:2.3:a:oretnom23:online_eyewear_shop:1.0
Discovery Timeline
- 2024-09-22 - CVE-2024-9082 published to NVD
- 2025-09-30 - Last updated in NVD database
Technical Details for CVE-2024-9082
Vulnerability Analysis
The vulnerability stems from missing authorization checks in the user save handler. The save function in /classes/Users.php accepts a Type parameter from client-side input and assigns it directly to the user record. Submitting Type=1 provisions the new account with an elevated role rather than the default privilege level. The application fails to verify whether the requesting session has permission to assign that role. This is a server-side trust boundary violation where attacker-controlled input dictates authorization state.
Root Cause
The root cause is improper authorization combined with incorrect privilege assignment. The handler treats the Type field as trusted client input instead of restricting role assignment to authenticated administrators. The application lacks role-based access control enforcement on sensitive write operations, allowing low-privileged or self-registered users to influence privilege fields.
Attack Vector
An attacker submits an HTTP POST request to /classes/Users.php?f=save containing user account fields along with Type=1. Because the endpoint does not validate the caller's role before honoring the parameter, the server persists the elevated role. Subsequent logins with the newly created credentials yield administrative access to the eyewear shop application, including catalog, order, and user management functions.
The vulnerability mechanism is described in the GitHub CVE Documentation and tracked in the VulDB CTI ID #278252 advisory.
Detection Methods for CVE-2024-9082
Indicators of Compromise
- HTTP POST requests to /classes/Users.php?f=save containing a Type parameter set to 1 from unauthenticated or low-privileged sessions.
- Newly created user accounts holding administrative privileges without corresponding administrator-initiated audit entries.
- Anomalous logins to administrative pages from accounts created within minutes of suspicious POST traffic.
Detection Strategies
- Inspect web server access logs for POST requests targeting /classes/Users.php?f=save and correlate with the requesting session's role.
- Compare database records of recently added users against expected administrator provisioning workflows.
- Deploy web application firewall rules that block or alert on user-creation requests where the Type field is supplied by non-administrative sessions.
Monitoring Recommendations
- Enable detailed audit logging for all account creation and role-modification events in the application database.
- Alert on unexpected privilege escalations and on first-time administrative logins from new accounts.
- Monitor outbound HTTP traffic from the web server for indicators of post-exploitation activity such as webshell deployment.
How to Mitigate CVE-2024-9082
Immediate Actions Required
- Restrict network access to the Online Eyewear Shop application until a vendor patch is available, especially on internet-exposed deployments.
- Audit the users table and remove or downgrade any unauthorized administrative accounts created since deployment.
- Add server-side authorization checks in /classes/Users.php that reject Type values supplied by non-administrative sessions.
Patch Information
No official vendor patch has been published by SourceCodester or oretnom23 at the time of disclosure. Operators should track the SourceCodester Security Resources page and the VulDB #278252 record for fix availability. In the interim, apply a custom code modification to enforce role validation before persisting the Type field.
Workarounds
- Implement a web application firewall rule that drops requests to /classes/Users.php?f=save containing a Type parameter when the session is not authenticated as an administrator.
- Modify the save function to ignore the client-supplied Type value and default new registrations to the lowest privilege role.
- Disable public user registration if it is not required for business operations.
# Example ModSecurity rule to block unauthorized role assignment
SecRule REQUEST_URI "@streq /classes/Users.php" \
"chain,phase:2,deny,status:403,id:1009082,\
msg:'CVE-2024-9082 Online Eyewear Shop privilege escalation attempt'"
SecRule ARGS:f "@streq save" "chain"
SecRule ARGS:Type "@streq 1"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
