Description
In Camaleon CMS, versions 2.1.2.0 to 2.6.0, are vulnerable to Server-Side Request Forgery (SSRF) in the media upload feature, which allows admin users to fetch media files from external URLs but fails to validate URLs referencing to localhost or other internal servers. This allows attackers to read files stored in the internal server.
References
https://github.com/owen2345/camaleon-cms/commit/5a252d537411fdd0127714d66c1d76069dc7e190
PatchThird Party Advisory
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25972
Third Party Advisory
CVSS impact metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
4.9 · Medium
CVSS V3.1
CVSS V3.0
CVSS V2.0
Information
Source identifier
Vulnerability status
Analyzed
Published
2021-10-20T12:15:07.713
3 years agoLast modified
2021-10-25T19:20:33.250
3 years ago