Improper Access Control in instantsoft/icms2

Vulnerability

The vulnerability resides in the password editing functionality of icms2, an open-source CMS. In versions prior to 2.16.1-git, the actionUsersProfileEditPassword class lacked proper access control. The code only verified that the user was an administrator or the profile owner, but did not prevent an administrator from editing another administrator's profile. This allowed any admin to change the password of any other admin. The fix was introduced in commit [1] and is included in version 2.16.1-git.

Exploitation

An attacker with administrative privileges could navigate to the password edit page of another administrator. No additional authentication or user interaction is required beyond having admin access. The attacker would simply access the profile edit password URL for the target admin and submit a new password. The system would accept the change because the access control only verified that the user was an admin, not that they were editing their own profile.

Impact

An attacker could change the password of any other administrator, effectively gaining full control over that account. This could lead to privilege escalation, data manipulation, or complete compromise of the CMS instance. The confidentiality, integrity, and availability of the system could be severely affected.

Mitigation

The vulnerability is fixed in version 2.16.1-git. Users should update to this version or later. The commit [1] implements the fix by adding a check that prevents admins from editing other admins' profiles. No workarounds are mentioned in the available references [2]. The CVE is not listed in KEV as of the publication date.