Insecure permission
There is an insecure permission vulnerability in /hrm/controller/ccity.php?positionedit=
in the SourceCodester Human Resource Management System 1.0, allowing attackers to access functions that are not permitted for a normal user.
Path URL: /hrm/controller/ccity.php?positionedit=
Parameter: position.php
The attacker can use normal account to add new position, which is not permitted for a normal user.