CVE-2018-19651

Name of the Vulnerable Software and Affected Versions Interspire Email Marketer versions prior to 6.1.7

Description The issue allows for Server Side Request Forgery (SSRF) via a "what=importurl&url=" request with an http or https URL to the "admin/functions/remote.php" endpoint. This also enables reading local files using a "file:" URL.

Recommendations For versions prior to 6.1.7, update to version 6.1.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the "admin/functions/remote.php" endpoint to minimize the risk of exploitation. Avoid using the url parameter in the affected endpoint until the issue is resolved.