CVE-2024-12901 – This vulnerability in FoxCMS allows attackers t... (How to Fix)

Q: What is the severity of CVE-2024-12901?

CVE-2024-12901 has a CVSS score of 5.3 (MEDIUM). This vulnerability in FoxCMS allows attackers to bypass authorization controls by manipulating password parameters in the API endpoint. It affects all FoxCMS installations up to version 1.2 that have the vulnerable API component exposed. Remote attackers can potentially gain unauthorized access to system functions.

📋 TL;DR

This vulnerability in FoxCMS allows attackers to bypass authorization controls by manipulating password parameters in the API endpoint. It affects all FoxCMS installations up to version 1.2 that have the vulnerable API component exposed. Remote attackers can potentially gain unauthorized access to system functions.

💻 Affected Systems

Products:

FoxCMS

Versions: up to 1.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the API endpoint to be accessible. The vulnerability is in the Site.php controller file.

📦 What is this software?

Foxcms by Qianfox

View all CVEs affecting Foxcms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing unauthorized administrative access, data manipulation, or account takeover.

🟠

Likely Case

Unauthorized access to API functions, potentially leading to data exposure or limited privilege escalation.

🟢

If Mitigated

No impact if proper network segmentation and authentication controls prevent access to vulnerable endpoint.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details have been publicly disclosed. The vulnerability involves manipulating password parameters to bypass authorization checks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement workarounds.

🔧 Temporary Workarounds

Disable vulnerable API endpoint

all

Block or disable access to the /app/api/controller/Site.php endpoint

# Web server configuration example for Apache:
<Location "/app/api/controller/Site.php">
    Require all denied
</Location>
# Web server configuration example for Nginx:
location /app/api/controller/Site.php {
    deny all;
}

Implement API authentication

all

Add additional authentication layer before the vulnerable endpoint

# Example .htaccess protection for Apache:
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /path/to/.htpasswd
Require valid-user

🧯 If You Can't Patch

Implement network segmentation to isolate FoxCMS from untrusted networks
Deploy web application firewall (WAF) rules to block suspicious password parameter manipulation

🔍 How to Verify

Check if Vulnerable:

Check if FoxCMS version is 1.2 or earlier and if /app/api/controller/Site.php endpoint is accessible

Check Version:

Check FoxCMS configuration files or admin panel for version information

Verify Fix Applied:

Test if authorization bypass via password parameter manipulation is no longer possible

📡 Detection & Monitoring

Log Indicators:

Unusual API requests to /app/api/controller/Site.php
Failed authorization attempts followed by successful access
Multiple requests with manipulated password parameters

Network Indicators:

HTTP requests to vulnerable endpoint with unusual password parameter values
Traffic patterns suggesting authorization bypass attempts

SIEM Query:

source="web_logs" AND uri="/app/api/controller/Site.php" AND (password="*" OR param_contains="password")

📊 Metadata

CVE ID: CVE-2024-12901

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-266

Published: December 23, 2024

Last Updated: July 15, 2025

🔗 References

https://note.zhaoj.in/share/8l4RPA2zcxRr Broken Link
https://vuldb.com/?ctiid.289171 Permissions Required,VDB Entry
https://vuldb.com/?id.289171 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.467703 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12901, you might also want to check these: