CVE-2024-31666

Vulnerability

Flusity-CMS version 2.33 contains an authorization bypass vulnerability in the /cover/addons/jd_simple_zer/action/edit_addon_post.php component. An ordinary user (e.g., "cs2") can access this endpoint without proper privilege checks, allowing a remote attacker to execute arbitrary code via a crafted script [1].

Exploitation

An attacker with a valid ordinary user account (or by exploiting another means to obtain such credentials) can send a crafted script to the edit_addon_post.php endpoint. The reference demonstrates that an ordinary user (cs2) can successfully execute the function that should be restricted to administrators [1]. No additional authentication bypass is required beyond having a user account.

Impact

Successful exploitation allows the attacker to execute arbitrary code on the server, leading to full compromise of the CMS instance. This includes potential data theft, defacement, or further lateral movement within the hosting environment.

Mitigation

As of the publication date (2024-04-22), no official patch has been released by the vendor. The affected version is v2.33. Users should restrict access to the vulnerable endpoint via web server configuration or apply input validation until a fix is available. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.