GHSA-x832-r2rj-4g5p

Suggest an improvement
Source
https://github.com/advisories/GHSA-x832-r2rj-4g5p
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-x832-r2rj-4g5p/GHSA-x832-r2rj-4g5p.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-x832-r2rj-4g5p
Aliases
Published
2022-02-20T00:00:32Z
Modified
2024-02-16T08:16:39.308955Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
SSRF in Kitodo.Presentation
Details

An issue was discovered in the Kitodo.Presentation (aka dlf) extension before 2.3.2, 3.x before 3.2.3, and 3.3.x before 3.3.4 for TYPO3. A missing access check in an eID script allows an unauthenticated user to submit arbitrary URLs to this component. This results in SSRF, allowing attackers to view the content of any file or webpage the webserver has access to.

References

Affected packages

Packagist / kitodo/presentation

Package

Name
kitodo/presentation
Purl
pkg:composer/kitodo/presentation

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.3.2

Affected versions

v2.*

v2.3.0
v2.3.1

Packagist / kitodo/presentation

Package

Name
kitodo/presentation
Purl
pkg:composer/kitodo/presentation

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.2.3

Affected versions

v3.*

v3.0.0
v3.0.1
v3.1.0
v3.1.1
v3.1.2
v3.2.0
v3.2.1
v3.2.2

Packagist / kitodo/presentation

Package

Name
kitodo/presentation
Purl
pkg:composer/kitodo/presentation

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.3.0
Fixed
3.3.4

Affected versions

v3.*

v3.3.0
v3.3.1
v3.3.2
v3.3.3