CVE-2021-26598

Vulnerability

In ImpressCMS versions before 1.4.3, the /include/findusers.php script has an incorrect access control logic. The script is intended for authenticated administrators only, but it also accepts a valid security token to bypass the authentication check. This token can be generated by unauthenticated users through other parts of the application, such as misc.php. An attacker can obtain such a token and then access findusers.php without authentication. The issue is described in the CVE entry [1] and detailed in an advisory [4]. The fix was implemented in version 1.4.3 [3].

Exploitation

An unauthenticated attacker first obtains a valid security token from a publicly accessible page like misc.php (which generates tokens without requiring login). The attacker then sends a request to /include/findusers.php with the token parameter set to that token. Because of the flawed conditional check, the script processes the request and returns the intended functionality, which is normally restricted to administrators. The advisory [4] explains that the token validation does not verify whether the user is authenticated, so any token from any session is accepted.

Impact

Successful exploitation allows an unauthenticated attacker to access the find users functionality, which can be used to enumerate registered users, obtain personal information, and potentially gather data about the user base. This constitutes a confidentiality breach (information disclosure) and can be a stepping stone for further attacks like targeted phishing or credential stuffing. The privilege level achieved is that of an unauthenticated user accessing admin-level functionality.

Mitigation

The vulnerability is fixed in ImpressCMS version 1.4.3, released on 2022-02-06 [3]. Users should upgrade to this version or later. The release includes commits that filter the URL variable in findusers.php and ensure that the token is accepted only for valid users [3]. No workarounds are documented; upgrading is the advised solution.