CVE-2021-25972

Опубликовано: 20 окт. 2021

Источник: nvd

CVSS3: 4.9

CVSS2: 4

EPSS Низкий

Описание

In Camaleon CMS, versions 2.1.2.0 to 2.6.0, are vulnerable to Server-Side Request Forgery (SSRF) in the media upload feature, which allows admin users to fetch media files from external URLs but fails to validate URLs referencing to localhost or other internal servers. This allows attackers to read files stored in the internal server.

Ссылки

https://github.com/owen2345/camaleon-cms/commit/5a252d537411fdd0127714d66c1d76069dc7e190
Patch
Third Party Advisory
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25972
Third Party Advisory
https://github.com/owen2345/camaleon-cms/commit/5a252d537411fdd0127714d66c1d76069dc7e190
Patch
Third Party Advisory
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25972
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:tuzitio:camaleon_cms:*:*:*:*:*:*:*:*

Версия от 2.1.2.0 (включая) до 2.6.0 (включая)

EPSS

Процентиль: 55%

0.00324

Низкий

4.9 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-918

Связанные уязвимости

GHSA-vx6p-q4gj-x6xx