CVE-2023-43154

CRITICAL

Macs CMS 1.1.4f - Authentication Bypass via PHP Type Confusion in isValidLogin()

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-43154. PoCs published by ally-petitt.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2023-43154, a PHP type confusion vulnerability in Macs Framework v1.1.4f CMS. The vulnerability allows authentication bypass due to loose comparison in the `isValidLogin()` function, enabling attackers to log in as administrators using magic hashes.

Description

In Macrob7 Macs Framework Content Management System (CMS) 1.1.4f, loose comparison in "isValidLogin()" function during login attempt results in PHP type confusion vulnerability that leads to authentication bypass and takeover of the administrator account.

Exploits (1)

nomisec WRITEUP
by ally-petitt · poc
https://github.com/ally-petitt/CVE-2023-43154-PoC

This repository provides a detailed technical analysis of CVE-2023-43154, a PHP type confusion vulnerability in Macs Framework v1.1.4f CMS. The vulnerability allows authentication bypass due to loose comparison in the `isValidLogin()` function, enabling attackers to log in as administrators using magic hashes.

Classification
Writeup 100%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Macs Framework v1.1.4f CMS
No auth needed
Prerequisites: Known username of the victim account · Password that results in a magic hash
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.0097
EPSS Percentile 57.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-843
Status published
Products (1)
macs_cms_project/macs_cms 1.1.4f
Published Sep 27, 2023
Tracked Since Feb 18, 2026