关键漏洞信息 漏洞标题 Cicool Builder <= 3.4.4 (Nov 2023) - Incorrect Access Control (Administrator Password Reset) 日期 2025-08-18 利用作者 Yassine Ben Tkhayat 厂商主页 https://cicoolbuilder.com/ 软件链接 https://codecanyon.net/item/cicool-page-form-rest-api-and-crud-generator/19207897?ref=ridwanskaterocks 版本 <= 3.4.4 (Nov 2023) 测试版本 Cicool Builder 3.4.4 CVE编号 CVE-2025-51543 漏洞描述 Cicool Builder version 3.4.4 and prior suffers from an incorrect access control vulnerability. An unauthenticated attacker can directly access the administrator password reset endpoint without requiring knowledge of the existing password. Successful exploitation allows full administrative takeover of the application. 漏洞端点 https://{{VulnerableSite}}/administrator/auth/reset_password 攻击场景 1. An attacker navigates to the password reset endpoint. 2. The application fails to enforce proper authentication/authorization checks. 3. The attacker resets the administrator password without prior knowledge of the current password. 4. The attacker logs in with the new credentials, obtaining full administrative access. 影响 Full administrative account takeover without prior authentication. Complete compromise of the application and hosted data. Unauthorized modification or deletion of critical system resources. 缓解措施 Enforce strict authentication and authorization checks on the password reset functionality. Upgrade to the latest patched version as soon as it becomes available.