PT-2018-12187 · Concrete5 · Concrete5
Published
2018-07-09
·
Updated
2021-07-15
·
CVE-2018-13790
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
concrete5 version 8.2.0
Description
A Server Side Request Forgery (SSRF) issue in the
remote.php file can lead to attacks on the local network and mapping of the internal network, due to URL functionality on the File Manager page.Recommendations
For concrete5 version 8.2.0, consider restricting access to the
remote.php file in the tools/files/importers directory to minimize the risk of exploitation. As a temporary workaround, limit the use of URL functionality on the File Manager page until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.Exploit
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Concrete5