Lucene search

[email protected]NVD:CVE-2024-46610

HistorySep 25, 2024 - 1:15 a.m.

CVE-2024-46610

2024-09-2501:15:44

[email protected]

web.nvd.nist.gov

access control

attackers

modify user information

crafted requests

usercontroller.

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

18.5%

JSON

An access control issue in IceCMS v3.4.7 and before allows attackers to arbitrarily modify users’ information, including username and password, via a crafted POST request sent to the endpoint /User/ChangeUser/s in the ChangeUser function in UserController.java

Affected configurations

Nvd

Node

thecosyicecmsRange≤3.4.7

VendorProductVersionCPE
thecosyicecms*cpe:2.3:a:thecosy:icecms:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
thecosy	icecms	*	cpe:2.3:a:thecosy:icecms::::::::

References

github.com/Lunax0/LogLunax/blob/main/icecms/CVE-2024-46610.md

github.com/Thecosy/iceCMS?tab=readme-ov-file

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

18.5%

JSON

Related for NVD:CVE-2024-46610

cvelist1 cve1