Stefan Krause

**Name of the Vulnerable Software and Affected Versions** Eveo URVE Web Manager version 27.02.2025 **Description** The application exposes the `/ internal/pc/vpro.php` endpoint to unauthenticated users, which is vulnerable to OS Command Injection. The endpoint accepts an input parameter that is directly passed into the `shell exec()` function of PHP. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Eveo URVE Web Manager version 27.02.2025 **Description** An issue exists in Eveo URVE Web Manager that allows for Server-Side Request Forgery (SSRF). The `/ internal/redirect.php` endpoint accepts a URL as input, sends a request to this address, and reflects the content in the response. This can be used to request endpoints only accessible by the application server. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.