Impact
Feehi CMS versions up to 2.1.1 contain a flaw in the /api/users endpoint that allows an attacker to manipulate requests in a way that bypasses normal access controls. This weakness, identified as CWE‑266 and CWE‑284, permits an attacker to gain unauthorized access to user information or potentially perform privileged operations on the system. The vulnerability is an improper authorization flaw; the exact extent of the privilege escalation (e.g., read versus write) is not detailed in the description but the control bypass is sufficient to compromise sensitive data.
Affected Systems
All installations of Feehi CMS 2.1.1 or earlier, specifically when the /api/users API endpoint is exposed, are affected. The issue may impact any deployment where the CMS is exposed to external networks and the API is accessible.
Risk and Exploitability
The CVSS score of 5.3 places this vulnerability in the medium severity range. EPSS information is not available, and the vulnerability is not listed in CISA’s KEV catalogue, indicating no confirmed widespread exploitation yet. However, the exploit is known to be publicly available and can be triggered remotely, so an attacker could potentially access restricted information without prior authentication or with minimal credentials. Given the remote nature of the attack and the lack of remediation from the vendor, the risk to exposed installations remains significant and should be monitored closely.
OpenCVE Enrichment