CVE-2023-37649: 
PHP vulnerability analysis and mitigation

Incorrect access control in the component /models/Content of Cockpit CMS v2.5.2 allows unauthorized attackers to access sensitive data. The vulnerability was discovered on July 10, 2023, and affects Cockpit CMS versions up to and including 2.5.2 (CVE Details, GhostCcamm Blog).

The vulnerability exists in the populate function within the Content API, where relational mappings are processed without proper access control validation. When data contains id and model attributes, Cockpit CMS resolves the mapping and fetches corresponding data without validating if the querying user is authorized to access that data. The issue is compounded by the fact that the CMS does not validate the types of inputs within JSON requests, allowing manipulation of field types (GhostCcamm Blog). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (CVE Details).

This vulnerability allows unauthorized attackers to access sensitive data stored in the CMS by exploiting the relational mapping functionality. Attackers can potentially access any content in the system, regardless of their permission level, leading to unauthorized disclosure of confidential information (GhostCcamm Blog).

The vulnerability has been patched in Cockpit CMS version 2.6.0. The fix includes additional validation in the populate function to verify user permissions before allowing access to related content. Users are strongly advised to upgrade to version 2.6.0 or later (Release Notes).