IceCMS is a standalone content management system before Spring Boot + Vue. IceCMS v2.0.1 has a logical flaw, in the background /adplanet/PlanetUser page, api:/square/GetAllSquareUser is used to obtain user information. Under normal circumstances, this API can only be accessed after logging in. Harm: Attackers can obtain a large amount of user information, including sensitive information such as usernames, passwords, and email addresses, without logging in.

In the admin background, there is a user management function under the /adplanet/PlanetUser page!

We visit this page and grab the packet, and find the api:/square/GetAllSquareUser, which is used to obtain user information, including usernames, passwords, email addresses and other sensitive information!

We put this packet into the text fuzz module, delete his JWT token, and send the package, we can find that we can still get user information!

In order to further verify, we changed browsers, accessed this interface, and found that we can still get a lot of user information!