An issue in Best Courier Management System v.1.000 allows a remote attacker to execute arbitrary code and escalate privileges via a crafted script to the userID parameter.

Additional Information Video POC Link On YT ; https://youtu.be/3Mz2lSElg7Y

Vulnerability Type Incorrect Access Control - Account takeOver

Affected Component Update User Form where we can update username & password

Attack Vectors need the User id which is easily we can get in password reset.

Discoverer sajal jat