PT-2024-17789 · Foxcms · Foxcms
Glzjin
·
Published
2024-12-23
·
Updated
2025-07-15
·
CVE-2024-12901
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
FoxCMS versions up to 1.2
Description
A critical issue was found in the API Endpoint component, specifically in the file /app/api/controller/Site.php. The manipulation of the
password argument leads to improper authorization, allowing for remote attacks. The issue has been publicly disclosed and may be exploited.Recommendations
For FoxCMS versions up to 1.2, update to a version that fixes the improper authorization issue.
As a temporary workaround, consider restricting access to the API Endpoint, specifically the file /app/api/controller/Site.php, to minimize the risk of exploitation.
Avoid using the
password argument in the affected API endpoint until the issue is resolved.Exploit
Fix
Improper Authorization
Incorrect Privilege Assignment
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Foxcms