CVE-2024-46607

HIGH

Thecosy Icecms < 3.4.7 - Improper Access Control

Title source: rule

Description

Incorrect access control in IceCMS v3.4.7 and before allows attackers to authenticate by entering any arbitrary values as the username and password via the loginAdmin method in the UserController.java file.

References (3)

Core 3

Core References

Product

http://icecms.com

Exploit, Third Party Advisory

https://github.com/Lunax0/LogLunax/blob/main/icecms/CVE-2024-46607.md

View Exploit ZIP pw:eip

Product

https://github.com/Thecosy/iceCMS?tab=readme-ov-file

Scores

CVSS v3 7.6

EPSS 0.0009

EPSS Percentile 25.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-284

Status published

Products (1)

thecosy/icecms < 3.4.7

Published Sep 25, 2024

Tracked Since Feb 18, 2026