CVE-2017-16935 - OpenCVE

Ametys before 4.0.3 requires authentication only for URIs containing a /cms/ substring, which allows remote attackers to bypass intended access restrictions via a direct request to /plugins/core-ui/servercomm/messages.xml, as demonstrated by changing the admin password by obtaining account details via a users/search.json request, and then modifying the account via an editUser request.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ametys	Ametys

Configuration 1 [-]

cpe:2.3:a:ametys:ametys:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://blogs.securiteam.com/index.php/archives/3517
https://issues.ametys.org/browse/RUNTIME-2582

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-11-24T07:00:00

Updated: 2024-08-05T20:43:57.812Z

Reserved: 2017-11-24T00:00:00

Link: CVE-2017-16935

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2017-11-24T07:29:00.303

Modified: 2019-10-03T00:03:26.223

Link: CVE-2017-16935

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-11-24T00:00:00", "descriptions": [{"lang": "en", "value": "Ametys before 4.0.3 requires authentication only for URIs containing a /cms/ substring, which allows remote attackers to bypass intended access restrictions via a direct request to /plugins/core-ui/servercomm/messages.xml, as demonstrated by changing the admin password by obtaining account details via a users/search.json request, and then modifying the account via an editUser request."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-11-24T07:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://blogs.securiteam.com/index.php/archives/3517"}, {"tags": ["x_refsource_MISC"], "url": "https://issues.ametys.org/browse/RUNTIME-2582"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-16935", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Ametys before 4.0.3 requires authentication only for URIs containing a /cms/ substring, which allows remote attackers to bypass intended access restrictions via a direct request to /plugins/core-ui/servercomm/messages.xml, as demonstrated by changing the admin password by obtaining account details via a users/search.json request, and then modifying the account via an editUser request."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://blogs.securiteam.com/index.php/archives/3517", "refsource": "MISC", "url": "https://blogs.securiteam.com/index.php/archives/3517"}, {"name": "https://issues.ametys.org/browse/RUNTIME-2582", "refsource": "MISC", "url": "https://issues.ametys.org/browse/RUNTIME-2582"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T20:43:57.812Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://blogs.securiteam.com/index.php/archives/3517"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://issues.ametys.org/browse/RUNTIME-2582"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-16935", "datePublished": "2017-11-24T07:00:00", "dateReserved": "2017-11-24T00:00:00", "dateUpdated": "2024-08-05T20:43:57.812Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ametys:ametys:*:*:*:*:*:*:*:*", "matchCriteriaId": "A37995E5-E1D7-46A1-B9E9-D9D274FD9801", "versionEndExcluding": "4.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Ametys before 4.0.3 requires authentication only for URIs containing a /cms/ substring, which allows remote attackers to bypass intended access restrictions via a direct request to /plugins/core-ui/servercomm/messages.xml, as demonstrated by changing the admin password by obtaining account details via a users/search.json request, and then modifying the account via an editUser request."}, {"lang": "es", "value": "Ametys en versiones anteriores a la 4.0.3 solo requiere autenticaci\u00f3n para URI que contienen una subcadena /cms/. Esto permite que atacantes remotos omitan las restricciones de acceso planeadas mediante una petici\u00f3n directa a /plugins/core-ui/servercomm/messages.xml, tal y como demuestra el cambio de la contrase\u00f1a de administrador obteniendo los detalles de la cuenta mediante una petici\u00f3n users/search.json y modificando la cuenta mediante una petici\u00f3n editUser."}], "id": "CVE-2017-16935", "lastModified": "2019-10-03T00:03:26.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-11-24T07:29:00.303", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Technical Description", "Third Party Advisory"], "url": "https://blogs.securiteam.com/index.php/archives/3517"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://issues.ametys.org/browse/RUNTIME-2582"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}