| Titolo | liufee cms 2.1.1 Authorization Bypass |
|---|
| Descrizione | A vulnerability was found in Feehi CMS 2.1.1. It has been declared as critical. Affected is the DELETE handler of the /api/users/{id} endpoint in api/controllers/UserController.php. The vulnerability arises because UserController inherits from Yii2's ActiveController and only validates token authenticity without performing any role-based or ownership-based authorization checks. A remote, low-privileged authenticated attacker can send a DELETE request to /api/users/{id} with an arbitrary user ID to permanently delete any user account, including administrators. The server returns HTTP 204 No Content with no confirmation or ownership verification, and subsequent GET requests to the same endpoint return HTTP 404, confirming irreversible data loss. The /api/v1/users/{id} endpoint is equally affected. This vulnerability completely violates the principle of least privilege and can be exploited to cause denial of service, permanent user data destruction, and disruption of application functionality. |
|---|
| Fonte | ⚠️ https://github.com/liufee/cms/issues/89 |
|---|
| Utente | byname (UID 98259) |
|---|
| Sottomissione | 29/05/2026 10:13 (1 mese fa) |
|---|
| Moderazione | 28/06/2026 12:57 (1 month later) |
|---|
| Stato | Duplicato |
|---|
| Voce VulDB | 374552 [Feehi CMS fino a 2.1.1 API /api/users escalationi di privilegi] |
|---|
| Punti | 0 |
|---|