CVE-2018-16704
Description
Gleez CMS v1.2.0 and v1.3.0 have an IDOR vulnerability allowing any logged-in user to view any other user's profile by changing the numeric ID in the URL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Gleez CMS v1.2.0 and v1.3.0 have an IDOR vulnerability allowing any logged-in user to view any other user's profile by changing the numeric ID in the URL.
Vulnerability
An Insecure Direct Object Reference (IDOR) vulnerability exists in Gleez CMS versions 1.2.0 and 1.3.0. The user profile endpoint at /user/{id} does not verify that the currently authenticated user has permission to view the requested profile. This allows a logged-in user to access the profile of any other user simply by changing the numeric user ID in the URL [1][3].
Exploitation
An attacker must have a valid user account on the Gleez CMS instance. After logging in (e.g., with the demo credentials: username demo, password demo), the attacker can navigate to their own profile, which populates the URL as https://example.com/user/3 [2][3]. By modifying the ID in the URL (e.g., user/4, user/5), the attacker can browse profiles of other users without any additional authentication or authorization checks [1][3].
Impact
A successful attack allows the attacker to view the following information from other users' profiles: username, profile photo, last visited date, joined date, and number of visits [3]. The vulnerability does not permit modification of any data or escalation to other actions, but it does leak personally identifiable and account-usage information to unauthorized users, violating the intended access control [1].
Mitigation
The Gleez CMS repository has been archived and is no longer maintained [3]. No patched version has been released. As a workaround, site administrators can implement custom middleware or HTTP access controls to validate user ownership or role-based permissions for the profile endpoint. Because the project is end-of-life, upgrading to an active fork or alternative CMS may be the most practical long-term solution.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gleez/cmsPackagist | <= 1.2.0 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authorization check on user profile endpoint allows any authenticated user to access any other user's profile by changing the numeric user ID in the URL."
Attack vector
An attacker who is already logged in to Gleez CMS can navigate to /user/{id} and replace the numeric ID (e.g., change 3 to 4, 5, or 6) to view the profile page of any other user [ref_id=1]. The application does not verify that the authenticated session corresponds to the requested user ID, enabling an Insecure Direct Object Reference (IDOR) attack [CWE-639]. No special payload or tooling is required — simply modifying the URL parameter in the browser suffices.
Affected code
The advisory does not identify specific files or functions. The vulnerable endpoint is /user/{id} on the Gleez CMS demo site [ref_id=1]. The code path that handles user profile display lacks an ownership or permission check on the numeric user ID parameter.
What the fix does
No patch is available in the bundle — the repository was archived by the owner on May 5, 2026 and is now read-only [ref_id=1]. The advisory does not specify any remediation steps. To close this vulnerability, the application would need to enforce an authorization check on the user profile endpoint, ensuring that a logged-in user can only view their own profile unless they hold an administrative role.
Preconditions
- authAttacker must be logged in to Gleez CMS with any valid user account.
- inputAttacker must be able to modify the numeric user ID in the /user/{id} URL path.
Reproduction
Login as user "demo" with password "demo" on the Gleez CMS instance. Observe the URL /user/3 in the address bar. Change the user ID from 3 to 4, 5, or 6. The profile page of the corresponding user will be displayed [ref_id=1].
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/advisories/GHSA-hh92-wg7v-8vfrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-16704ghsaADVISORY
- github.com/gleez/cms/issues/801ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.