PT-2018-13275 · Idreamsoft · Icms

Published

2018-08-27

Updated

2018-11-07

CVE-2018-15895

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions idreamsoft iCMS version 7.0.11

Description A Server-Side Request Forgery (SSRF) issue was found due to the remote function in app/spider/spider tools.class.php not properly blocking DNS hostnames associated with private and reserved IP addresses. This can be demonstrated by using 127.0.0.1 in an A record.

Recommendations For idreamsoft iCMS version 7.0.11, consider modifying the remote function in app/spider/spider tools.class.php to properly block DNS hostnames associated with private and reserved IP addresses as a temporary workaround until a patch is available. Restrict access to the spider tools.class.php file to minimize the risk of exploitation.

Exploit

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

CVE-2018-15895

Affected Products

Icms

PT-2018-13275 · Idreamsoft · Icms

CVE-2018-15895

Weakness Enumeration

Related Identifiers

Affected Products

References · 3