Natstheway

**Name of the Vulnerable Software and Affected Versions** Gleez CMS version 1.2.0 **Description** The issue is related to insufficient server-side access control and login attempt limit enforcement on the login page. This could allow an unauthenticated, remote attacker to perform multiple user enumerations by sending modified login attempts to the Portal login page, such as navigating to the `user/4` URI. An exploit could enable the attacker to identify existing users and perform brute-force password attacks. **Recommendations** For Gleez CMS version 1.2.0, consider temporarily restricting access to the login page or implementing additional server-side access controls to minimize the risk of exploitation. Restricting the number of login attempts from a single IP address within a certain time frame can also help mitigate the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Gleez CMS version 1.2.0 **Description** The issue allows attackers, who are logged-in users, to view the profile page of other users due to an Insecure Direct Object Reference. This can be demonstrated by navigating to the "user/3" endpoint on demo.gleezcms.org. **Recommendations** For Gleez CMS version 1.2.0, as a temporary workaround, consider restricting access to the user profile page endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.