📄 Description (English)
A weakness has been identified in SourceCodester Ship Ferry Ticket Reservation System 1.0. This affects an unknown function of the file /admin/. This manipulation of the argument page causes improper authorization. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.
🤖 AI Executive Summary
CVE-2026-10876 is a medium-severity authorization bypass vulnerability in SourceCodester Ship Ferry Ticket Reservation System 1.0 affecting the /admin/ endpoint. An attacker can manipulate the 'page' parameter to bypass access controls and gain unauthorized administrative access. While no public exploit is currently available and the vulnerability has limited immediate threat, the lack of a patch and public disclosure of the vulnerability type creates moderate risk for organizations using this system.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Jun 5, 2026 04:18
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily affects Saudi maritime and transportation organizations using SourceCodester's ferry reservation system. At-risk sectors include: (1) Saudi ports and maritime authorities managing ferry operations, (2) Tourism and hospitality companies operating ferry services in the Red Sea and Arabian Gulf, (3) Government transportation agencies coordinating inter-island services. The authorization bypass could allow unauthorized access to passenger data, booking information, and administrative functions, potentially impacting operational continuity and passenger privacy compliance with SAMA and NCA regulations.
🏢 Affected Saudi Sectors
Maritime and Transportation
Tourism and Hospitality
Government Transportation Agencies
Port Authorities
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
6.2
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Identify all instances of SourceCodester Ship Ferry Ticket Reservation System 1.0 in your environment
2. Restrict network access to /admin/ endpoints using WAF rules or network segmentation
3. Implement IP whitelisting for administrative access
4. Enable comprehensive logging and monitoring of /admin/ access attempts
Compensating Controls:
5. Deploy Web Application Firewall (WAF) rules to block requests with suspicious 'page' parameter values
6. Implement input validation and sanitization for the 'page' parameter
7. Apply principle of least privilege to administrative accounts
8. Conduct immediate access review of administrative accounts
Patching Guidance:
9. Contact SourceCodester for security patches or consider migrating to alternative, actively maintained ferry reservation systems
10. If migration is not feasible, implement additional authentication layers (MFA) for admin access
Detection Rules:
11. Monitor for repeated /admin/ access attempts with varying 'page' parameter values
12. Alert on successful /admin/ access from unexpected IP addresses or user accounts
13. Log all parameter modifications to the 'page' variable in admin functions
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع نسخ نظام حجز تذاكر العبّارات من SourceCodester الإصدار 1.0 في بيئتك
2. تقييد الوصول إلى نقاط نهاية /admin/ باستخدام قواعد جدار الحماية أو تقسيم الشبكة
3. تطبيق قائمة بيضاء للعناوين IP للوصول الإداري
4. تفعيل السجلات الشاملة ومراقبة محاولات الوصول إلى /admin/
عناصر التحكم التعويضية:
5. نشر قواعد جدار حماية تطبيقات الويب (WAF) لحظر الطلبات ذات قيم معامل 'page' المريبة
6. تطبيق التحقق من صحة المدخلات والتنظيف لمعامل 'page'
7. تطبيق مبدأ أقل امتياز على الحسابات الإدارية
8. إجراء مراجعة فورية للوصول إلى الحسابات الإدارية
إرشادات التصحيح:
9. الاتصال بـ SourceCodester للحصول على تصحيحات أمنية أو النظر في الهجرة إلى أنظمة حجز عبّارات بديلة
10. إذا لم تكن الهجرة ممكنة، قم بتطبيق طبقات مصادقة إضافية (MFA) للوصول الإداري
قواعد الكشف:
11. مراقبة محاولات الوصول المتكررة إلى /admin/ بقيم معامل 'page' مختلفة
12. تنبيه الوصول الناجح إلى /admin/ من عناوين IP أو حسابات مستخدم غير متوقعة
13. تسجيل جميع تعديلات المعاملات على متغير 'page' في الوظائف الإدارية
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.9.1.1 - Access Control Policy
ECC 2024 A.9.2.1 - User Registration and Access Management
ECC 2024 A.9.4.3 - Password Management
ECC 2024 A.14.2.1 - Secure Development Policy
🔵 SAMA CSF
SAMA CSF ID.AC-1 - Access Control Policy and Procedures
SAMA CSF PR.AC-1 - Identities and Credentials
SAMA CSF PR.AC-3 - Access Enforcement
SAMA CSF DE.CM-1 - Network Monitoring
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access Control
ISO 27001:2022 A.8.2 - Privileged Access Rights
ISO 27001:2022 A.8.3 - Information Access Restriction
ISO 27001:2022 A.12.4.1 - Event Logging
🔗 References & Sources 6
🔗
🔗
🔗
🔗
🔗
🔗
https://medium.com/@hemantrajbhati5555/missing-authorization-in-sourcecodester-ship-fer...
cna@vuldb.com
https://vuldb.com/cve/CVE-2026-10876
cna@vuldb.com
https://vuldb.com/submit/831870
cna@vuldb.com
https://vuldb.com/vuln/368366
cna@vuldb.com
https://vuldb.com/vuln/368366/cti
cna@vuldb.com
https://www.sourcecodester.com/
cna@vuldb.com