Soptikha2

**Name of the Vulnerable Software and Affected Versions** FOG versions 1.5.10.1754 and below **Description** FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Versions 1.5.10.1754 and below contain an unauthenticated Server-Side Request Forgery (SSRF) condition in the `getversion.php` file. This can be triggered by providing a user-controlled URL parameter. The issue allows fetching both internal websites and files on the machine running FOG. The condition appears to be reachable without an authenticated web session when the request includes `newService=1`. The API endpoint involved is `getversion.php` and the vulnerable parameter is the URL parameter. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.