CVE-2021-26598: 
PHP vulnerability analysis and mitigation

CVE-2021-26598 affects ImpressCMS versions before 1.4.3, specifically related to an Incorrect Access Control vulnerability in the include/findusers.php file. The vulnerability was discovered on January 19, 2021, and publicly disclosed on March 22, 2022, after the release of version 1.4.3 which contains the fix (Karma Security, Full Disclosure).

The vulnerability exists in the /include/findusers.php script where unauthenticated attackers can access functionality intended for authenticated users only. The issue stems from an if statement that allows access when a valid security token is provided, even if the user is not authenticated. Such tokens can be generated from various places in the application, including the misc.php script which doesn't require authentication. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (NVD).

The vulnerability allows unauthorized access to restricted functionality of the application, potentially leading to information disclosure about CMS users. The impact is primarily focused on confidentiality, with no direct impact on integrity or availability of the system (Karma Security).

The recommended mitigation is to upgrade to ImpressCMS version 1.4.3 or later, which contains the fix for this vulnerability. The fix was released on February 6, 2022 (Karma Security).