PT-2021-23406 · Alfresco · Org.Alfresco:Alfresco-Content-Services+1
Published
2021-10-21
·
Updated
2021-10-27
·
CVE-2021-41792
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
org.alfresco:alfresco-content-services versions through 6.2.2.18
org.alfresco:alfresco-transform-services versions through 1.3
Description
An issue allows an attacker to trigger an unexpected request by the transformation engine using a crafted HTML file. This is a blind Server-Side Request Forgery (SSRF) issue, where the response to the request is not available to the attacker.
Recommendations
For org.alfresco:alfresco-content-services versions through 6.2.2.18, update to a version that contains a fix for this issue.
For org.alfresco:alfresco-transform-services versions through 1.3, update to a version that contains a fix for this issue.
As a temporary workaround, consider restricting the upload of HTML files to minimize the risk of exploitation.
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Org.Alfresco:Alfresco-Content-Services
Org.Alfresco:Alfresco-Transform-Services