CVE-2018-14858

Name of the Vulnerable Software and Affected Versions idreamsoft iCMS versions prior to 7.0.11

Description A Server-Side Request Forgery (SSRF) issue was found due to the remote function in app/spider/spider tools.class.php not blocking private and reserved IP addresses, such as 10.0.0.0/8. This issue arose from an incomplete fix for a previous problem.

Recommendations For versions prior to 7.0.11, update to version 7.0.11 or later to resolve the issue. As a temporary workaround, consider restricting access to the remote function in app/spider/spider tools.class.php to minimize the risk of exploitation.