CVE-2017-16935 in Ametys
Summary
by MITRE
Ametys before 4.0.3 requires authentication only for URIs containing a /cms/ substring, which allows remote attackers to bypass intended access restrictions via a direct request to /plugins/core-ui/servercomm/messages.xml, as demonstrated by changing the admin password by obtaining account details via a users/search.json request, and then modifying the account via an editUser request.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 08/11/2025
The vulnerability identified as CVE-2017-16935 represents a critical access control flaw in Ametys CMS versions prior to 4.0.3. This issue stems from an improper authentication mechanism that creates a security bypass condition by failing to enforce access controls on specific URI patterns. The flaw manifests when the system only requires authentication for URIs containing the /cms/ substring, leaving certain endpoints unprotected despite their sensitive nature. This design oversight creates a pathway for unauthorized remote attackers to exploit the system's access controls and gain elevated privileges.
The technical implementation of this vulnerability demonstrates a classic case of insufficient authorization checks within the application's security framework. Attackers can directly access the /plugins/core-ui/servercomm/messages.xml endpoint without proper authentication, which serves as a gateway to additional sensitive functionality. This endpoint acts as a pivot point that enables further exploitation by allowing attackers to first obtain account details through the users/search.json request, which reveals user information and account structures. The vulnerability's exploitation chain leverages the weak authentication model to progress from initial reconnaissance to privilege escalation through the editUser request that modifies account information.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it enables complete account compromise and potential system takeover. Remote attackers can leverage this vulnerability to change administrator passwords, effectively locking out legitimate users and gaining persistent access to the system. The attack vector demonstrates a sophisticated understanding of the application's internal architecture, as it exploits the specific URI pattern matching logic to bypass intended security controls. This weakness creates a persistent threat that can be exploited by anyone with network access to the vulnerable system, making it particularly dangerous in publicly accessible environments.
Organizations affected by this vulnerability should immediately implement mitigations including upgrading to Ametys version 4.0.3 or later, which contains the necessary authentication fixes. Network segmentation and access control measures should be implemented to restrict access to sensitive endpoints, while monitoring systems should be configured to detect unusual access patterns to the vulnerable URI paths. The vulnerability aligns with CWE-285, which addresses improper authorization issues in software applications, and maps to attack techniques in the MITRE ATT&CK framework under privilege escalation and credential access categories. Regular security assessments and proper input validation should be implemented to prevent similar authentication bypass vulnerabilities from emerging in the application's architecture.