I. VULNERABILITY ------------------------- Jalios JCMS 10 allows attackers to access any part of the website and the WebDAV server with administrative privileges via a backdoor account using any username and an specific password. II. CVE REFERENCE ------------------------- CVE-2019-19033 III. VENDOR ------------------------- Jalios (https://www.jalios.com/jcms/j_6/en/home) IV. TIMELINE ------------------------- 08/11/19 - Vulnerability discovered 09/11/19 - Vendor contacted 14/11/19 - Vendor fixes the vulnerability V. DESCRIPTION ------------------------- The "webdav" folder uses HTTP authentication which can be bypassed using the backdoor account. This allows to get access to the website as the administrator and then create more administrator users, change passwords of any username, delete usernames, create groups, download the list of all the users (with email addresses, phone numbers, full names ...). It is also possible to upload or overwrite any file in the WebDAV server. The "webdav" folder is located by default in the root of the website. This is caused by a vulnerable version of the "DevTools" plugin, installed by default. VI. IMPACT ------------------------- CVSS 10.0(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)) VII. SOLUTION ------------------------- Possible solutions: - Disable the DevToolsAuthenticationHandler - Disable or uninstall the DevTools plugin. - Upgrade DevTools plugin to version 7.1 or 8.1 VIII. REFERENCES ------------------------- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19033 IX. CREDIT ------------------------- Ricardo José Ruiz Fernández (@ricardojoserf)