CVE-2024-46607

Incorrect access control in IceCMS v3.4.7 and before allows attackers to authenticate by entering any arbitrary values as the username and password via the loginAdmin method in the UserController.java file.

CVSS v3 7.6 HIGH

7.6^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 5.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
http://icecms.com	Product
https://github.com/Lunax0/LogLunax/blob/main/icecms/CVE-2024-46607.md	Exploit Third Party Advisory
https://github.com/Thecosy/iceCMS?tab=readme-ov-file	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:thecosy:icecms:*:*:*:*:*:*:*:*

History

28 Apr 2025, 17:09

Type	Values Removed	Values Added
First Time		Thecosy Thecosy icecms
CWE		NVD-CWE-noinfo
CPE		cpe:2.3:a:thecosy:icecms::::::::
References	~~() http://icecms.com -~~	() http://icecms.com - Product
References	~~() https://github.com/Lunax0/LogLunax/blob/main/icecms/CVE-2024-46607.md -~~	() https://github.com/Lunax0/LogLunax/blob/main/icecms/CVE-2024-46607.md - Exploit, Third Party Advisory
References	~~() https://github.com/Thecosy/iceCMS?tab=readme-ov-file -~~	() https://github.com/Thecosy/iceCMS?tab=readme-ov-file - Product

26 Sep 2024, 13:32

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-25 01:15

Updated : 2025-04-28 17:09

NVD link : CVE-2024-46607

Mitre link : CVE-2024-46607

CVE.ORG link : CVE-2024-46607

JSON object : View

Products Affected

thecosy

icecms

CWE

NVD-CWE-noinfo CWE-284

Improper Access Control

7.6 /10