CVE-2019-13020

Name of the Vulnerable Software and Affected Versions Tightrope Media Carousel versions prior to 7.1.3

Description The issue concerns the fetch API in Tightrope Media Carousel, which is susceptible to Server-Side Request Forgery (SSRF) attacks via the CarouselAPI/v0/fetch?url= endpoint. This could be exploited in two main ways: first, through a phishing attack where a specially crafted URL is used to serve malicious content from an attacker-controlled system, potentially hijacking the trust between the user, browser, and website; second, by allowing an attacker to bypass firewall controls and proxy traffic into the internal network from the internet without authentication.

Recommendations For versions prior to 7.1.3, update to version 7.1.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the CarouselAPI/v0/fetch?url= endpoint to minimize the risk of exploitation.