Juzaweb CMS Broken Access Control Vulnerability in Theme Editor Component

A critical vulnerability allowing improper access control has been identified in Juzaweb CMS versions through 3.4.2. The issue resides in an unknown function of the file '/admin-cp/theme/editor/default' within the Theme Editor Page component. This vulnerability enables unprivileged users to access and modify theme-related functions, potentially manipulating the CMS theme as if they were an administrative user. The vulnerability can be exploited remotely, and has been disclosed publicly.

Impact

Exploitation of this vulnerability allows a malicious user with low privileges to access and modify theme editing functions, effectively gaining administrative-like control over the CMS theme.

Reproduction

To reproduce this vulnerability, create a new user and assign it a role with all permissions disabled. Log in with this account and navigate to the Theme Editor Page. The user will be able to access and edit functions related to theme editing, despite having no permissions.