A Server-Side Request Forgery (SSRF) vulnerability in the /Upgrade/FixConfig route in Open Library Foundation VuFind 2.0 through 9.1 before 9.1.1 allows a remote attacker to overwrite local configuration files to gain access to the administrator panel and achieve Remote Code Execution. A mitigating factor is that it requires the allow_url_include PHP runtime setting to be on, which is off in default installations. It also requires the /Upgrade route to be exposed, which is exposed by default after installing VuFind, and is recommended to be disabled by setting autoConfigure to false in config.ini.
CPE | Name | Operator | Version |
---|---|---|---|
vufind/vufind | eq | 2.5 | |
vufind/vufind | eq | 2.5.2 | |
vufind/vufind | eq | 5.0 | |
vufind/vufind | eq | 6.0 | |
vufind/vufind | eq | 4.1.1 | |
vufind/vufind | eq | 7.0 | |
vufind/vufind | eq | 7.1 | |
vufind/vufind | eq | 3.1 | |
vufind/vufind | eq | 7.1.1 | |
vufind/vufind | eq | 8.0.4 |