CVE-2025-63523

Description

FeehiCMS version 2.1.1 fails to enforce server-side immutability for parameters that are presented to clients as "read-only." An authenticated attacker can intercept and modify the parameter in transit and the backend accepts the changes. This can lead to unintended username changes.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:feehi:feehicms:2.1.1:*:*:*:*:*:*:* - VULNERABLE

FeehiCMS < 2.1.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

PoC代码...

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-63523
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-63523
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-63523/
[4] VulDB https://vuldb.com/cve/CVE-2025-63523
[5] https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63523.md
[6] https://github.com/liufee/cms/issues/77

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-63523", "sourceIdentifier": "[email protected]", "published": "2025-12-01T15:15:50.973", "lastModified": "2025-12-02T03:06:26.707", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "FeehiCMS version 2.1.1 fails to enforce server-side immutability for parameters that are presented to clients as \"read-only.\" An authenticated attacker can intercept and modify the parameter in transit and the backend accepts the changes. This can lead to unintended username changes."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:feehi:feehicms:2.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "DBEE4749-21CC-4336-8565-A05BC680EDF2"}]}]}], "references": [{"url": "https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63523.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/liufee/cms/issues/77", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}]}}