There is a brute force vulnerabillity via publiccms/admin/login.html

[Echox1]

when I login, i find if i use a wrong username:

So we can use brute force to get the correct username beacuse the correct username has different response lenth

after we got the correct username,use the same way to get the correct password

302 redirect means we login successful