CVE-2023-33355: There is unauthorized access to the API, resulting in the disclosure of sensitive information · Issue #7 · Thecosy/IceCMS

This api does not require login, obtains user information through user_id, and returns the user name, password, and email address in plain text.

It is like the preview address provided by the project, macwk.cc, and the backend service address is macwk.cc/api through the request body. So we can get any user information, including the administrator.