An issue in Insurance Management System v.1.0.0 and before allows a remote attacker to escalate privileges via a crafted POST request to /admin/core/new_staff.
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.