| 제목 | liufee cms 2.1.1 Any Article Delete |
|---|
| 설명 | A vulnerability was found in Feehi CMS 2.1.1. It has been classified as critical. Affected are multiple REST API endpoints (GET, POST, PUT, DELETE) of the /api/articles and /api/articles/{id} routes handled by api/controllers/ArticleController.php. The vulnerability is caused by a missing authentication mechanism ArticleController does not override the behaviors() method, resulting in no authenticator or access control filter being applied to any CRUD action. An unauthenticated remote attacker can retrieve all articles including unpublished drafts which may contain sensitive internal content, create new articles, modify existing ones, and permanently delete any article by simply sending the corresponding HTTP request without any token or credentials. This vulnerability requires zero authentication and exposes full read and write access to all article resources. |
|---|
| 원천 | ⚠️ https://github.com/liufee/cms/issues/87 |
|---|
| 사용자 | byname (UID 98259) |
|---|
| 제출 | 2026. 05. 29. AM 10:16 (1 월 ago) |
|---|
| 모더레이션 | 2026. 06. 28. PM 12:58 (1 month later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 374554 [Feehi CMS 까지 2.1.1 REST API Endpoint /api/articles 약한 인증] |
|---|
| 포인트들 | 20 |
|---|