CVE-2024-46610

An access control issue in IceCMS v3.4.7 and before allows attackers to arbitrarily modify users' information, including username and password, via a crafted POST request sent to the endpoint /User/ChangeUser/s in the ChangeUser function in UserController.java
Configurations

Configuration 1 (hide)

cpe:2.3:a:thecosy:icecms:*:*:*:*:*:*:*:*

History

21 Nov 2024, 09:38

Type Values Removed Values Added
CWE CWE-284

30 Sep 2024, 16:30

Type Values Removed Values Added
CPE cpe:2.3:a:thecosy:icecms:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
First Time Thecosy
Thecosy icecms
References () https://github.com/Lunax0/LogLunax/blob/main/icecms/CVE-2024-46610.md - () https://github.com/Lunax0/LogLunax/blob/main/icecms/CVE-2024-46610.md - Exploit, Third Party Advisory
References () https://github.com/Thecosy/iceCMS?tab=readme-ov-file - () https://github.com/Thecosy/iceCMS?tab=readme-ov-file - Product
CWE NVD-CWE-noinfo

26 Sep 2024, 13:32

Type Values Removed Values Added
Summary
  • (es) Un problema de control de acceso en IceCMS v3.4.7 y anteriores permite a los atacantes modificar arbitrariamente la información de los usuarios, incluido el nombre de usuario y la contraseña, a través de una solicitud POST manipulada enviada al endpoint /User/ChangeUser/s en la función ChangeUser en UserController.java

25 Sep 2024, 01:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-25 01:15

Updated : 2024-11-21 09:38


NVD link : CVE-2024-46610

Mitre link : CVE-2024-46610

CVE.ORG link : CVE-2024-46610


JSON object : View

Products Affected

thecosy

  • icecms
CWE
NVD-CWE-noinfo CWE-284

Improper Access Control