| Título | liufee cms 2.1.1 Any Article Delete |
|---|
| Descripción | A vulnerability was found in Feehi CMS 2.1.1. It has been classified as critical. Affected are multiple REST API endpoints (GET, POST, PUT, DELETE) of the /api/articles and /api/articles/{id} routes handled by api/controllers/ArticleController.php. The vulnerability is caused by a missing authentication mechanism ArticleController does not override the behaviors() method, resulting in no authenticator or access control filter being applied to any CRUD action. An unauthenticated remote attacker can retrieve all articles including unpublished drafts which may contain sensitive internal content, create new articles, modify existing ones, and permanently delete any article by simply sending the corresponding HTTP request without any token or credentials. This vulnerability requires zero authentication and exposes full read and write access to all article resources. |
|---|
| Fuente | ⚠️ https://github.com/liufee/cms/issues/87 |
|---|
| Usuario | byname (UID 98259) |
|---|
| Sumisión | 2026-05-29 10:16 (hace 1 mes) |
|---|
| Moderación | 2026-06-28 12:58 (1 month later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 374554 [Feehi CMS hasta 2.1.1 REST API Endpoint /api/articles autenticación débil] |
|---|
| Puntos | 20 |
|---|