CVE-2024-46610
📋 TL;DR
An access control vulnerability in IceCMS v3.4.7 and earlier allows attackers to modify any user's information, including usernames and passwords, without proper authorization. This affects all IceCMS deployments running vulnerable versions. Attackers can exploit this by sending crafted POST requests to the /User/ChangeUser/s endpoint.
💻 Affected Systems
- IceCMS
📦 What is this software?
Icecms by Thecosy
⚠️ Risk & Real-World Impact
Worst Case
Attackers could take over administrator accounts, modify all user credentials, and gain complete control of the CMS instance, potentially leading to data theft, defacement, or further network compromise.
Likely Case
Attackers modify user credentials to gain unauthorized access to user accounts, potentially escalating privileges or performing unauthorized actions within the CMS.
If Mitigated
With proper access controls and authentication checks, the vulnerability would be prevented, limiting impact to authorized changes only.
🎯 Exploit Status
Exploitation requires sending a crafted POST request but does not require authentication. Public proof-of-concept details are available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v3.4.8 or later
Vendor Advisory: https://github.com/Thecosy/iceCMS
Restart Required: Yes
Instructions:
1. Backup your IceCMS installation and database
2. Download the latest version from the official repository
3. Replace the vulnerable files with patched versions
4. Restart the application server
🔧 Temporary Workarounds
Block vulnerable endpoint
allTemporarily block access to the /User/ChangeUser/s endpoint using web server or firewall rules
# For Apache: RewriteRule ^/User/ChangeUser/s - [F]
# For Nginx: location /User/ChangeUser/s { deny all; }
Implement request validation
allAdd middleware to validate and sanitize POST requests to user modification endpoints
🧯 If You Can't Patch
- Implement strict network segmentation to isolate IceCMS from critical systems
- Enable detailed logging and monitoring for suspicious POST requests to user endpoints
🔍 How to Verify
Check if Vulnerable:
Check if your IceCMS version is 3.4.7 or earlier. Review the UserController.java file for missing authorization checks in the ChangeUser function.Check Version:
Check the application version in the admin panel or review the project configuration filesVerify Fix Applied:
After updating, verify the version is 3.4.8 or later. Test that unauthorized POST requests to /User/ChangeUser/s are properly rejected.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /User/ChangeUser/s from single IP
- Unusual user modification events
- Failed authentication attempts followed by successful user modifications
Network Indicators:
- POST requests to /User/ChangeUser/s with unusual parameters
- Traffic spikes to user management endpoints
SIEM Query:
source="web_logs" AND (url="/User/ChangeUser/s" AND method="POST") | stats count by src_ip