CVE-2017-16935

Name of the Vulnerable Software and Affected Versions Ametys versions prior to 4.0.3

Description The issue allows remote attackers to bypass intended access restrictions. This can be achieved by making a direct request to "/plugins/core-ui/servercomm/messages.xml". Attackers can exploit this by obtaining account details via a "users/search.json" request and then modifying the account via an "editUser" request.

Recommendations For Ametys versions prior to 4.0.3, update to version 4.0.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/plugins/core-ui/servercomm/messages.xml" endpoint and limiting the use of "users/search.json" and "editUser" requests until a patch is applied.