Skip to content

FeehiCMS version 2.1.1 - Parameter Tampering for Read-Only Username Parameter #77

New issue
New issue
Open
Open
FeehiCMS version 2.1.1 - Parameter Tampering for Read-Only Username Parameter#77
@kiwi865

Description

@kiwi865
kiwi865
opened on Oct 2, 2025

[Parameter Tampering for Read-Only Parameter]

Severity Score: Low

CVSS Score: 3.5 Low, CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Description

FeehiCMS version 2.1.1 fails to enforce server-side immutability for parameters that are presented to clients as “read-only.” An authenticated attacker can intercept and modify the parameter in transit and the backend accepts the changes.

Impact

This can lead to unintended username changes.

POC

Register two users, user1 and user2.

Image Image

Login as backend user, navigate to the user module.

Image

Observe that the username is readonly.

Image


Update the user record. Below is the original request.

Image

Modified request, added username parameter.

Image

The readonly username was changed.

Image

Remediation

  1. Omit the affected parameter in server side.
  2. Validate only whitelisted parameters are allowed for user updates.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions