CVE-2025-63523

Vulnerability

Overview

FeehiCMS version 2.1.1 does not enforce server-side immutability for parameters that are presented to clients as read-only. The application relies solely on client-side restrictions, such as HTML readonly attributes, to prevent modification of certain fields. An authenticated attacker can intercept the HTTP request in transit, add or modify the parameter (e.g., username), and the backend accepts the altered value without validation [1][3].

Exploitation

To exploit this vulnerability, an attacker must have a valid backend user account. The proof of concept demonstrates registering two users, logging into the backend, navigating to the user module, and observing that the username field is marked as readonly in the browser. By intercepting the update request (e.g., using a proxy), the attacker can add the username parameter with a different value. The server processes the request and changes the username accordingly [3][4].

Impact

Successful exploitation allows an authenticated attacker to change the username of any user account they have permission to edit. This can lead to account confusion, impersonation, or disruption of user management. The CVSS v3.1 score is 3.5 (Low), with a vector string of AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N, indicating low impact but requiring user interaction [3].（the attacker must be authenticated and the victim must perform an action that triggers the update）[3].

Mitigation

The vendor has not released a patch as of the publication date. Recommended remediations include omitting the affected parameter from server-side processing or validating only whitelisted parameters during user updates [3]. Users should apply input validation on the server side and avoid trusting client-side readonly attributes for security enforcement.