CVE-2018-19109

Vulnerability

tianti 2.3 contains an incorrect access control vulnerability in the cmscontroller.java and usercontroller.java controllers. The endpoints /cms/column/list and /user/skin/list do not perform permission checks, allowing any authenticated user (including those with only the permission role) to access these resources. The affected version is tianti 2.3 [1].

Exploitation

An attacker must have a valid authenticated session with any role, even the minimal permission role. The attacker can simply navigate to the URLs http://127.0.0.1:8080/tianti-module-admin/cms/column/list or http://127.0.0.1:8080/tianti-module-admin/user/skin/list directly in a browser or via HTTP requests [1].

Impact

Successful exploitation allows the attacker to view and edit the column list and column settings, as well as access skin management functionality. This bypasses the intended permission restrictions, leading to unauthorized information disclosure and potential modification of content that should be restricted to super administrators [1].

Mitigation

No official fixed version has been released as of the publication date. The vendor was advised to add permission checks before executing the main logic in the affected controller functions. Until a patch is available, administrators should implement custom access controls or restrict network access to the application [1].