CVE-2018-19110

2018-11-0808:00:00

mitre

www.cve.org

AI Score

6.2

Confidence

High

EPSS

0.001

Percentile

38.5%

JSON

The skin-management feature in tianti 2.3 allows remote authenticated users to bypass intended permission restrictions by visiting tianti-module-admin/user/skin/list directly because controller\usercontroller.java maps a /skin/list request to the function skinList, and lacks an authorization check.

References

github.com/xujeff/tianti/issues/29