Ametys before 4.0.3 requires authentication only for URIs containing a /cms/ substring, which allows remote attackers to bypass intended access restrictions via a direct request to /plugins/core-ui/servercomm/messages.xml, as demonstrated by changing the admin password by obtaining account details via a users/search.json request, and then modifying the account via an editUser request.
References
Link | Resource |
---|---|
https://issues.ametys.org/browse/RUNTIME-2582 | Issue Tracking Vendor Advisory |
https://blogs.securiteam.com/index.php/archives/3517 | Exploit Technical Description Third Party Advisory |
Configurations
Information
Published : 2017-11-23 23:29
Updated : 2019-10-02 17:03
NVD link : CVE-2017-16935
Mitre link : CVE-2017-16935
JSON object : View
CWE
CWE-20
Improper Input Validation
Products Affected
ametys
- ametys