PT-2022-25338 · Canto · Canto Cumulus

Thibaud Kehler

Published

2022-09-09

Updated

2022-09-10

CVE-2022-40305

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Canto Cumulus versions through 11.1.3

Description A Server-Side Request Forgery issue allows attackers to enumerate the internal network, overload network resources, and possibly have unspecified other impact via the server parameter to the "/cwc/login" login form.

Recommendations For versions through 11.1.3, consider restricting access to the "/cwc/login" login form to minimize the risk of exploitation, and avoid using the server parameter in this form until the issue is resolved.

Exploit

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

CVE-2022-40305

Affected Products

Canto Cumulus

PT-2022-25338 · Canto · Canto Cumulus

CVE-2022-40305

Weakness Enumeration

Related Identifiers

Affected Products

References · 5