Lucene search

K
osvGoogleOSV:GHSA-WX24-VQRG-M6M5
HistoryMay 22, 2024 - 9:30 p.m.

VuFind Server-Side Request Forgery (SSRF) vulnerability

2024-05-2221:30:35
Google
osv.dev
1
server-side request forgery
open library foundation vufind
remote code execution
php runtime setting
default installations
config.ini
software

7.6 High

AI Score

Confidence

Low

0 Low

EPSS

Percentile

0.0%

A Server-Side Request Forgery (SSRF) vulnerability in the /Upgrade/FixConfig route in Open Library Foundation VuFind 2.0 through 9.1 before 9.1.1 allows a remote attacker to overwrite local configuration files to gain access to the administrator panel and achieve Remote Code Execution. A mitigating factor is that it requires the allow_url_include PHP runtime setting to be on, which is off in default installations. It also requires the /Upgrade route to be exposed, which is exposed by default after installing VuFind, and is recommended to be disabled by setting autoConfigure to false in config.ini.

7.6 High

AI Score

Confidence

Low

0 Low

EPSS

Percentile

0.0%

Related for OSV:GHSA-WX24-VQRG-M6M5