An issue in Best Courier Management System v.1.000 allows a remote attacker to execute arbitrary code and escalate privileges via a crafted script to the userID parameter.
Additional Information Video POC Link On YT ; https://youtu.be/3Mz2lSElg7Y
Vulnerability Type Incorrect Access Control - Account takeOver
Affected Component Update User Form where we can update username & password
Attack Vectors need the User id which is easily we can get in password reset.
Discoverer sajal jat