CVE-2024-54818 identifies an incorrect access control vulnerability in SourceCodester Computer Laboratory Management System version 1.0. The flaw exists in the administrative interface, specifically at the /php-lms/admin/?page=user/list URL, where access control mechanisms fail to properly restrict user permissions. This allows an attacker with some level of authenticated access (PR:L) to perform unauthorized actions or view sensitive user information, violating confidentiality and integrity. The vulnerability does not require user interaction and can be exploited remotely over the network (AV:N). The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates low attack complexity, no user interaction, and high impact on confidentiality, integrity, and availability. The CWE-281 classification confirms the root cause as improper access control. Although no public exploits or patches are currently available, the vulnerability poses a significant risk to systems running this software, especially in educational or laboratory management environments where sensitive student and staff data is stored. Organizations should conduct thorough access control audits and monitor for suspicious activity related to this endpoint.

The vulnerability can lead to unauthorized disclosure of sensitive user data, modification of user records, and potential disruption of laboratory management operations. This compromises confidentiality, integrity, and availability of the system, potentially exposing personally identifiable information (PII) of students and staff. Attackers exploiting this flaw could escalate privileges, manipulate administrative functions, or cause denial of service conditions. The impact extends to reputational damage, regulatory non-compliance (especially in education sectors), and operational disruptions. Since the vulnerability requires some level of authentication, insider threats or compromised credentials increase risk. The lack of patches heightens exposure, making timely mitigation critical to prevent exploitation in environments using this software.

1. Immediately restrict access to the /php-lms/admin/?page=user/list endpoint to only fully trusted administrators using network-level controls such as IP whitelisting or VPN access. 2. Implement strict role-based access control (RBAC) policies to ensure users have the minimum necessary privileges, verifying that users cannot access administrative pages without proper authorization. 3. Conduct a comprehensive audit of all access control mechanisms within the application, focusing on privilege checks for all admin-related endpoints. 4. Monitor logs for unusual access patterns or attempts to access restricted pages by non-administrative users. 5. If possible, deploy web application firewalls (WAFs) with custom rules to block unauthorized requests targeting this endpoint. 6. Engage with the software vendor or community to obtain or request patches and updates addressing this vulnerability. 7. Educate users and administrators about credential security to reduce risks from compromised accounts. 8. Consider isolating the affected system from public internet exposure until a patch is available.