CVE-2022-26159

Name of the Vulnerable Software and Affected Versions Ametys CMS versions prior to 4.5.0

Description The auto-completion plugin in Ametys CMS allows a remote unauthenticated attacker to read documents, which contain all characters typed by all users, including the content of private pages. These documents may include sensitive information such as usernames, e-mail addresses, and possibly passwords. The attacker can access files like plugins/web/service/search/auto-completion/<domain>/en.xml and similar pathnames for other languages.

Recommendations For Ametys CMS versions prior to 4.5.0, update to version 4.5.0 or later to resolve the issue. As a temporary workaround, consider disabling the auto-completion plugin until a patch is available. Restrict access to the plugins/web/service/search/auto-completion directory to minimize the risk of exploitation. Avoid using the auto-completion feature in sensitive areas of the application until the issue is resolved.