CVE-2018-15895

Name of the Vulnerable Software and Affected Versions idreamsoft iCMS version 7.0.11

Description A Server-Side Request Forgery (SSRF) issue was found due to the remote function in app/spider/spider tools.class.php not properly blocking DNS hostnames associated with private and reserved IP addresses. This can be demonstrated by using 127.0.0.1 in an A record.

Recommendations For idreamsoft iCMS version 7.0.11, consider modifying the remote function in app/spider/spider tools.class.php to properly block DNS hostnames associated with private and reserved IP addresses as a temporary workaround until a patch is available. Restrict access to the spider tools.class.php file to minimize the risk of exploitation.