An issue in Insurance Management System v.1.0.0 and before allows a remote malicious user to escalate privileges via a crafted POST request to /admin/core/new_staff.