The [icms2] contains a flaw in its admin account management functionality, specifically in the process of changing and resetting passwords for administrators. Through careful analysis and testing, it was observed that an authenticated administrator has the capability to change the password of any other administratorβs account, effectively allowing unauthorized access and takeover.
I performed a test using admin demo user to change other admin user nickname as i shown in my video poc whic you can find it here:
https://wormhole.app/yOKEq#6MTOE7wwFPFM43elm-Qllg