PT-2019-9153 · 42Gears · Suremdm
Published
2019-02-05
·
Updated
2019-02-21
·
CVE-2018-15657
CVSS v3.1
7.3
High
| Vector | AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
42Gears SureMDM versions prior to 2018-11-27
Description
A Server-Side Request Forgery (SSRF) issue was found, allowing exploitation via the /api/DownloadUrlResponse.ashx API endpoint, specifically through the
url parameter.Recommendations
For versions prior to 2018-11-27, as a temporary workaround, consider restricting access to the /api/DownloadUrlResponse.ashx API endpoint until a patch is available. Avoid using the
url parameter in the affected API endpoint until the issue is resolved.Exploit
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Suremdm