| tiêu đề | Maccms MacCMS 2025.1000.4052 Missing Authentication |
|---|
| Mô tả | MacCMS v10 (maccms10-2025.1000.4052) contains an authentication bypass vulnerability in the api/Timming endpoint.
The backend authentication check in application/admin/controller/Base.php explicitly skips login verification when the request entrance is "api" and the controller is "Timming". As a result, unauthenticated remote attackers can directly trigger backend scheduled tasks via the public API endpoint.
The api/Timming controller invokes administrative controllers (such as admin/collect, admin/make, admin/index/clear, and admin/urlsend) without validating user identity. When any scheduled task is enabled in application/extra/timming.php, an attacker can force execution by sending a request such as:
GET /api.php/timming/index?name=<task>&enforce=1
This allows unauthorized triggering of administrative operations including content collection, static generation, cache clearing, and external requests. Depending on the configured tasks, this may lead to denial of service, server-side request forgery (SSRF), or unintended backend actions. |
|---|
| Nguồn | ⚠️ https://github.com/HuajiHD/CVE/issues/9 |
|---|
| Người dùng | HuajiHD (UID 96230) |
|---|
| Đệ trình | 08/03/2026 08:55 (cách đây 3 các tháng) |
|---|
| Kiểm duyệt | 22/03/2026 09:20 (14 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 352399 [MacCMS 2025.1000.4052 Timming API Endpoint Timming.php xác thực yếu] |
|---|
| điểm | 20 |
|---|