CVE-2024-46612

Published Sep 25, 2024

Last updated a year ago

CVSS critical 9.8

Overview

Description
IceCMS v3.4.7 and before was discovered to contain a hardcoded JWT key, allowing an attacker to forge JWT authentication information.
Source
cve@mitre.org
NVD status
Analyzed
Products
icecms

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-321

Social media

Hype score
Not currently trending

Configurations

Related CVEs

  1. An access control issue in the component /square/getAllSquare/circle of iceCMS v2.2.0 allows unauthenticated attackers to access sensitive information.CVE-2025-22983
  2. An access control issue in the component /api/squareComment/DelectSquareById of iceCMS v2.2.0 allows unauthenticated attackers to access sensitive information.CVE-2025-22984
  3. icecms <=3.4.7 has a File Upload vulnerability in FileUtils.java,uploadFile.CVE-2024-48202
  4. An access control issue in the CheckVip function in UserController.java of IceCMS v3.4.7 and before allows unauthenticated attackers to access and returns all user information, including passwordsCVE-2024-46609
  5. An access control issue in IceCMS v3.4.7 and before allows attackers to arbitrarily modify users' information, including username and password, via a crafted POST request sent to the endpoint /User/ChangeUser/s in the ChangeUser function in UserController.javaCVE-2024-46610

References

Sources include official advisories and independent security research.