CVE-2021-40604

Name of the Vulnerable Software and Affected Versions IPS Community Suite versions prior to 4.6.2

Description A Server-Side Request Forgery (SSRF) issue allows remote authenticated users to request arbitrary URLs or trigger deserialization via phar protocol when generating class names dynamically. In some cases, exploitation is possible by an unauthenticated user. The gkey parameter is an unfollow token and is involved in the vulnerability.

Recommendations For IPS Community Suite versions prior to 4.6.2, update to version 4.6.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the phar protocol and dynamically generated class names to minimize the risk of exploitation. Avoid using the gkey parameter in sensitive operations until the issue is resolved.