CVE-2018-19110

Vulnerability

In tianti 2.3, the skin-management feature lacks proper authorization checks. The usercontroller.java file maps the /skin/list request to the skinList function without verifying the user's permissions [1]. This allows any authenticated user to access the skin management interface regardless of their assigned role.

Exploitation

An attacker with a low-privileged authenticated account can directly request the URL http://127.0.0.1:8080/tianti-module-admin/user/skin/list to bypass intended permission restrictions [1]. No additional privileges or special conditions are required; simply having a valid session is sufficient.

Impact

Successful exploitation permits a low-privileged user to access and potentially modify skin settings, which should be restricted to administrators. This leads to unauthorized configuration changes and information disclosure of skin-related data [1].

Mitigation

As of the CVE publication date (2018-11-08), no official patch has been released. Administrators should implement manual authorization checks before executing the skinList function in usercontroller.java [1]. The vendor has been notified via the GitHub issue.