PT-2020-9196 · Simple Machines · Simple Machines Forum

Published

2020-03-20

Updated

2020-03-25

CVE-2019-11574

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Simple Machines Forum versions prior to 2.0.17

Description An issue was discovered in Simple Machines Forum related to Subs-Package.php and Subs.php, where user-supplied data is used directly in curl calls, leading to a Server-Side Request Forgery (SSRF) issue.

Recommendations For versions prior to 2.0.17, update to release 2.0.17 or later to resolve the issue. As a temporary workaround, consider restricting the use of the Subs-Package.php and Subs.php files until a patch is available.

Exploit

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

CVE-2019-11574

Affected Products

Simple Machines Forum

PT-2020-9196 · Simple Machines · Simple Machines Forum

CVE-2019-11574

Weakness Enumeration

Related Identifiers

Affected Products

References · 6