CVE-2025-63523
published 2025-12-01CVE-2025-63523: FeehiCMS version 2.1.1 fails to enforce server-side immutability for parameters that are presented to clients as "read-only." An authenticated attacker can…
PriorityP335medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
EPSS
0.23%
13.7th percentile
FeehiCMS version 2.1.1 fails to enforce server-side immutability for parameters that are presented to clients as "read-only." An authenticated attacker can intercept and modify the parameter in transit and the backend accepts the changes. This can lead to unintended username changes.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| feehi | feehicms | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
FeehiCMS fails to enforce server-side immutability
ghsa·2025-12-01
CVE-2025-63523 [MEDIUM] CWE-125 FeehiCMS fails to enforce server-side immutability
FeehiCMS fails to enforce server-side immutability
FeehiCMS version 2.1.1 fails to enforce server-side immutability for parameters that are presented to clients as "read-only." An authenticated attacker can intercept and modify the parameter in transit and the backend accepts the changes. This can lead to unintended username changes.
OSV
FeehiCMS fails to enforce server-side immutability
osv·2025-12-01
CVE-2025-63523 [MEDIUM] FeehiCMS fails to enforce server-side immutability
FeehiCMS fails to enforce server-side immutability
FeehiCMS version 2.1.1 fails to enforce server-side immutability for parameters that are presented to clients as "read-only." An authenticated attacker can intercept and modify the parameter in transit and the backend accepts the changes. This can lead to unintended username changes.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-12-01
Published