JIZHICMS Improper Authorization Vulnerability in Article Handler Component

A vulnerability allowing improper authorization has been identified in JIZHICMS versions through 1.7.0. This issue resides in the Article Handler component, specifically within the file '/user/release.html'. The vulnerability arises from the manipulation of the 'ishot' parameter, which, when set to '1', allows unauthorized users to modify article data by marking it as popular. This flaw can be exploited remotely, without any authentication requirements.

Impact

Exploitation of this vulnerability allows for unauthorized data modification in the article publishing feature, potentially leading to incorrect or misleading information being presented as factual.

Reproduction

To reproduce this vulnerability, send a POST request to '/user/release.html' with the 'ishot' parameter set to '1'. This can be done using a web browser or a tool like cURL or Postman. The request should include a valid PHP session cookie to simulate an authenticated user. Once the request is sent, the article will be published with the 'popular' designation, despite lacking the necessary authorization.