CVE-2024-40475 identifies an incorrect access control vulnerability in SourceCodester Best House Rental Management System version 1.0. The flaw resides in multiple PHP endpoints responsible for generating and displaying rental-related reports and user information, specifically /rental/payment_report.php, /rental/balance_report.php, /rental/invoices.php, /rental/tenants.php, and /rental/users.php. These endpoints lack proper authorization checks, allowing unauthenticated remote attackers to access sensitive data such as payment details, balances, invoices, tenant information, and user records. The vulnerability is classified under CWE-284 (Improper Access Control), indicating that the application fails to enforce correct permissions on critical resources. The CVSS 3.1 base score of 5.3 reflects that the attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and affects confidentiality only (C:L), without impacting integrity or availability. The scope is unchanged (S:U), meaning the vulnerability affects only the vulnerable component. No patches or known exploits have been reported yet, but the exposure of sensitive rental management data poses privacy risks and could facilitate further attacks if combined with other vulnerabilities or social engineering. The vulnerability highlights the importance of implementing robust access control mechanisms in web applications managing sensitive financial and personal data.

The primary impact of CVE-2024-40475 is unauthorized disclosure of sensitive information related to rental payments, balances, invoices, tenants, and users. This breach of confidentiality can lead to privacy violations, identity theft, and potential financial fraud. Organizations using the affected system may face regulatory compliance issues, reputational damage, and loss of customer trust if sensitive tenant or financial data is exposed. Although the vulnerability does not directly affect data integrity or system availability, the leaked information could be leveraged by attackers for targeted phishing, social engineering, or further exploitation of the network. The ease of exploitation (no authentication or user interaction required) increases the risk of automated scanning and data harvesting by malicious actors. This threat is particularly concerning for property management companies, real estate agencies, and landlords relying on this software to manage tenant and financial records.

To mitigate CVE-2024-40475, organizations should immediately restrict access to the affected PHP scripts by implementing network-level controls such as IP whitelisting or VPN requirements. Application-level mitigations include enforcing strict authentication and authorization checks on all endpoints handling sensitive rental and user data. Developers should review and update the access control logic to ensure that only authorized users can access payment reports, balance reports, invoices, tenant information, and user data. Employing role-based access control (RBAC) or attribute-based access control (ABAC) mechanisms can help enforce granular permissions. Additionally, monitoring and logging access to these endpoints can detect and alert on unauthorized access attempts. Until an official patch is released, consider disabling or removing public access to these scripts if feasible. Regular security assessments and penetration testing should be conducted to verify the effectiveness of access controls. Finally, organizations should educate staff about the risks of data exposure and implement incident response plans to address potential breaches.