Headline
CVE-2023-42321: CVE-2023-42321
Cross Site Request Forgery (CSRF) vulnerability in icmsdev iCMSv.7.0.16 allows a remote attacker to execute arbitrary code via the user.admincp.php, members.admincp.php, and group.admincp.php files.
[CVE-ID]
CVE-2023-42321
[CNVD-ID]
CNVD-2023-68150
[Description]
In the iCMS V7.0.16 version, the session in the session is hijacked, and members, roles and administrator accounts can be added arbitrarily without logging in to the account.
------------------------------------------
[Vulnerability Type]
Insecure Permissions
------------------------------------------
[Vendor of Product]
icmsdev
------------------------------------------
[Affected Product Code Base]
icms - V7.0.16
------------------------------------------
[Affected Component]
Backend-User Management-Add Administrator/Add Member/Member Management/Role Management, etc.
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Code execution]
true
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
Hijack the session in the session
------------------------------------------
[Reference]
https://www.icmsdev.com/
------------------------------------------
[Discoverer]
chubby