An issue was discovered in the Kitodo.Presentation (aka dlf) extension before 2.3.2, 3.x before 3.2.3, and 3.3.x before 3.3.4 for TYPO3. A missing access check in an eID script allows an unauthenticated user to submit arbitrary URLs to this component. This results in SSRF, allowing attackers to view the content of any file or webpage the webserver has access to.
github.com/kitodo/kitodo-presentation/commit/059be3f82b08c60cbb798986cd3ff22dbf60a5e4
github.com/kitodo/kitodo-presentation/commit/4a20621afc30778ba3b045be5110353cf4fd4fd4
github.com/kitodo/kitodo-presentation/commit/9700478b46445f562c3e2051d61565d779f59275
nvd.nist.gov/vuln/detail/CVE-2022-24980
security.snyk.io/vuln/SNYK-PHP-KITODOPRESENTATION-2407280
typo3.org/help/security-advisories
typo3.org/security/advisory/typo3-ext-sa-2022-001