Direct Request ('Forced Browsing')

CVE-2021-40616

Medium

6.5/10

Summary

thinkcmf/thinkcmf versions prior to 6.0.8 and thinkcmf/cmf-app versions prior to 6.0.15 have an unauthorized vulnerability. The attacker can modify the password of the administrator account with id 1 through the background user management group permissions. The use condition is that the background user management group authority is required.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-425 - Direct Request ('Forced Browsing')

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

References

Advisory
Issue
thinkcmf/thinkcmf
thinkcmf/cmf-app

Advisory Timeline

Published Jun 14, 2022

Direct Request ('Forced Browsing')

CVE-2021-40616

Summary

CWE-425 - Direct Request ('Forced Browsing')

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS