Lucene search

K
cve[email protected]CVE-2024-25738
HistoryMay 22, 2024 - 7:15 p.m.

CVE-2024-25738

2024-05-2219:15:08
web.nvd.nist.gov
25
server-side request forgery
overwrite local configuration files
gain access to administrator panel
remote code execution
php runtime setting
default installations
exposed upgrade route
autoconfigure setting
nvd

7.4 High

AI Score

Confidence

Low

0 Low

EPSS

Percentile

0.0%

A Server-Side Request Forgery (SSRF) vulnerability in the /Upgrade/FixConfig route in Open Library Foundation VuFind 2.0 through 9.1 before 9.1.1 allows a remote attacker to overwrite local configuration files to gain access to the administrator panel and achieve Remote Code Execution. A mitigating factor is that it requires the allow_url_include PHP runtime setting to be on, which is off in default installations. It also requires the /Upgrade route to be exposed, which is exposed by default after installing VuFind, and is recommended to be disabled by setting autoConfigure to false in config.ini.

7.4 High

AI Score

Confidence

Low

0 Low

EPSS

Percentile

0.0%

Related for CVE-2024-25738