CVE-2022-24980

Name of the Vulnerable Software and Affected Versions Kitodo.Presentation extension versions prior to 2.3.2 Kitodo.Presentation extension versions 3.x prior to 3.2.3 Kitodo.Presentation extension versions 3.3.x prior to 3.3.4

Description A missing access check in an eID script allows an unauthenticated user to submit arbitrary URLs to this component, resulting in Server-Side Request Forgery (SSRF). This enables attackers to view the content of any file or webpage the webserver has access to.

Recommendations For Kitodo.Presentation extension versions prior to 2.3.2, update to version 2.3.2 or later. For Kitodo.Presentation extension versions 3.x prior to 3.2.3, update to version 3.2.3 or later. For Kitodo.Presentation extension versions 3.3.x prior to 3.3.4, update to version 3.3.4 or later. As a temporary workaround, consider restricting access to the eID script to prevent unauthenticated users from submitting arbitrary URLs.