CVE-2021-26598 — AI Deep Analysis Summary

🚨 **Essence**: A critical authorization flaw in ImpressCMS. 📉 **Consequences**: Attackers bypass security limits to steal sensitive user info or access restricted features. It's a direct breach of trust!

🛡️ **Root Cause**: Incorrect access control logic in `/include/findusers.php`. 🔍 **Flaw**: The system fails to properly verify if a user has permission to view specific data, allowing unauthorized reads.

📦 **Affected**: ImpressCMS versions **before 1.4.3**. 🌐 **Component**: Specifically the `findusers.php` module. If you are running an older version, you are at risk!

💀 **Attacker Actions**: - **Data Theft**: Access sensitive user information. - **Privilege Escalation**: Bypass security tokens. - **Unauthorized Ops**: Modify data or execute actions without permission.…

⚡ **Threshold**: **LOW**. 🚪 **Auth**: Remote exploitation possible. No local access needed. ⚙️ **Config**: Exploits a logic error in a core file, making it easy to trigger via HTTP requests.

🔓 **Public Exp?**: **YES**. 📜 **PoC**: Available via Nuclei templates and PacketStorm. 🌍 **Wild Exp**: Reported on HackerOne, meaning real-world exploitation is confirmed and documented.

🔍 **Self-Check**: - Scan for ImpressCMS instances. - Check version number (must be < 1.4.3). - Look for `/include/findusers.php` endpoint. 🛠️ **Tool**: Use Nuclei with the specific CVE template for quick detection.

✅ **Fixed?**: **YES**. 🩹 **Patch**: Upgrade to **ImpressCMS 1.4.3** or later. The vendor has addressed the authorization logic in the newer release. Don't wait!

🚧 **No Patch?**: - **WAF Rules**: Block access to `/include/findusers.php`. - **Access Control**: Restrict file permissions on the server. - **Network**: Limit exposure of the CMS to trusted IPs only.…

🔥 **Urgency**: **HIGH**. 🚨 **Priority**: Immediate action required. Since PoCs are public and it involves data leakage, patching to v1.4.3+ is critical to protect user data and system integrity.