CVE-2022-26159 - Ametys CMS - Unauthenticated information disclosure

  • Title : Ametys CMS - Unauthenticated information disclosure in the auto-completion plugin
  • Author : @Podalirius
  • CVSS : 5.3 (Medium)
  • CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N


The auto-completion plugin in Ametys CMS before 4.5.0 allows a remote unauthenticated attacker to read documents such as plugins/web/service/search/auto-completion/domain/en.xml (and similar pathnames for other languages), which contain all characters typed by all users, including the content of private pages. For example, a private page may contain usernames, e-mail addresses, and possibly passwords.

Affected products

Product Software version
Ametys <= 4.5.0


The autocompletion plugin in Ametys CMS <= 4.5.0 exposes publicly an XML file containing a wordlist at the following address:


To perform a request on this database, an attacker just needs to type the start of the word in the q (query) parameter:


And the auto-completion plugin returns the first 10 matching words starting with adm (from the query) in an XML file:

<?xml version="1.0" encoding="UTF-8"?>

With this in mind, an attacker just needs to perform a depth first search on the API to extract all the content of it.


In order to patch this vulnerability you need to update your Ametys CMS to the latest version (>= 4.5.0).