Unauthorized and Over-Privileged API Access Vulnerability: Harvesting All Usernames and Passwords

Thecosy / IceCMS

🌈冰激凌内容管理系统🍦,实现MacWK资源站，社区图片视频圈子CMS，支持网页端移动端小程序🌟适合做资讯商城，社区论坛，聊天交友社区，博客，圈子，论坛，图片，视频，社交。

https://www.icecms.cn

GNU Affero General Public License v3.0

1.56k stars 223 forks source link

Open h1thub opened 2 months ago

h1thub commented 2 months ago

You can see in the figure below that the following API interface lacks authentication.(hithub is me)

Iterate through the numbers in the figure below.

By iterating through these numbers, you can obtain all users' usernames and passwords, as shown in the figure below.

wuanbin commented 1 month ago

this can cve？

wuanbin commented 1 month ago

算是一个cve了