CVE-2021-40616

Vulnerability

Analysis

ThinkCMF v5.1.7 contains an unauthorized vulnerability that allows an attacker to modify the password of the administrator account with ID 1. The root cause lies in the user management group permissions, which do not properly enforce authorization checks when processing password change requests. The vulnerable file is identified as /public/plugins/portal/controller/AdminRbacController.php [3].

Exploitation

Prerequisites

The attack requires the attacker to have access to the background user management group permissions, which is the condition for exploitation. By default, the password of the administrator account with ID 1 cannot be modified, implying that the vulnerability bypasses this default restriction [3]. An attacker can directly access the URL /admin/user/edit/id/1.html to invoke the password modification functionality without proper authorization [3].

Impact

Successful exploitation allows an attacker to reset the password of the primary administrator account (ID 1). This grants the attacker full administrative control over the ThinkCMF instance, potentially leading to complete compromise of the application and its data [2][3].

Mitigation

As of the advisory, users are advised to update to a patched version or apply appropriate access controls. The issue was reported on the project's GitHub repository, and users should monitor for official fixes [1][3].