Uploaded image for project: 'CMS'
  1. CMS
  2. CMS-10973

Unauthenticated information disclosure vulnerability report


    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • 4.5.0
    • None
    • None
    • None
    • Ametys 4.3.18
    • 4.5 RC2


      I found a vulnerability in the auto-completion plugin.

      The auto-completion plugin exposes an XML file containing all the words typed inside the posts both private and public. This file is exposed without authentication at :


      It is possible for an attacker to extract the complete content of the xml file even with the limit set to 10 matching results using API scrapping techniques such as this one: https://podalirius.net/en/articles/scraping-search-apis-depth-first-style/

      The information present in this xml file can contain sensitive information such as passwords, IP addresses, usernames and emails. I successfully managed to get a list of valid usernames from this auto-completion XML file in one of my clients apps, without authentication.

      Fix: I think the auto-completion plugin should not expose this XML file at all, but if it does it should be at least protected by authentication.

      Best regards,

            raphael Raphaël Franchet
            Podalirius Podalirius
            0 Vote for this issue
            2 Start watching this issue