AdaptCMS IDOR Exploit: Change Passwords Like a Boss!

IDOR “Change Password” Functionality in adaptcmsv3.0.3 lets users with low privileges channel their inner hacker, altering admin passwords with the finesse of a cat burglar armed with a keyboard. Just a few clicks and voila, you’re the new admin! Security? Who needs it when you’ve got IDOR’s magic touch?

1P
Published: June 3, 2025 1:51 pmAdded: June 3, 2025 at 7:11 amAssembled by: The Editor
Pro Dashboard

Hot Take:

So, it turns out that AdaptCMS has a password change feature that’s more open than a 24-hour drive-thru! With a little IDOR magic, you too can have admin access faster than you can say “security breach”—because who needs pesky things like user permissions anyway?

Key Points:

  • Andrey Stoykov discovered an Insecure Direct Object Reference (IDOR) vulnerability in AdaptCMS version 3.0.3.
  • The vulnerability allows low-privilege users to change the password of higher-privilege accounts, like the admin.
  • This exploit was tested on a Debian 12 system.
  • The exploit involves intercepting a POST request and altering user ID values.
  • The vulnerability can potentially allow unauthorized access to sensitive areas of the CMS.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?