CVE-2025-63523
📋 TL;DR
FeehiCMS version 2.1.1 has a server-side validation flaw where parameters marked as read-only on the client side can be modified by authenticated attackers during transmission. This allows attackers to change usernames they shouldn't have access to modify. The vulnerability affects all FeehiCMS 2.1.1 installations with authenticated user access.
💻 Affected Systems
- FeehiCMS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could escalate privileges by changing administrative usernames, potentially leading to account takeover and full system compromise.
Likely Case
Authenticated users can modify other users' usernames, causing account confusion, potential privilege escalation, and data integrity issues.
If Mitigated
With proper input validation and server-side checks, the impact is limited to failed modification attempts with appropriate logging.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward using standard web proxy tools to modify parameters in transit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.2 or later
Vendor Advisory: https://github.com/liufee/cms/issues/77
Restart Required: No
Instructions:
1. Backup your current installation. 2. Download FeehiCMS version 2.1.2 or later from the official repository. 3. Replace affected files with patched versions. 4. Verify the fix by testing username modification functionality.
🔧 Temporary Workarounds
Implement Server-Side Validation
allAdd server-side validation to check if users have permission to modify specific parameters before processing changes.
Modify user management controllers to validate parameter immutability server-side
Web Application Firewall Rules
allConfigure WAF to block parameter tampering attempts on user modification endpoints.
Add WAF rules to detect and block unexpected parameter modifications in POST/PUT requests
🧯 If You Can't Patch
- Restrict user modification functionality to administrators only
- Implement additional authentication factors for sensitive user operations
🔍 How to Verify
Check if Vulnerable:
Test if authenticated users can modify read-only parameters by intercepting requests with tools like Burp Suite or OWASP ZAP.Check Version:
Check the version.php file or admin panel for version informationVerify Fix Applied:
Attempt the same parameter modification after patching; server should reject unauthorized changes with proper error messages.📡 Detection & Monitoring
Log Indicators:
- Multiple failed username modification attempts
- Unauthorized parameter modification in user management logs
Network Indicators:
- Unusual POST/PUT requests to user modification endpoints with modified parameters
SIEM Query:
source="web_logs" AND (uri_path="/admin/user/update" OR uri_path="/user/modify") AND (status_code=200 OR status_code=302) AND parameter_tampering_detected=true