CVE-2022-43140

Name of the Vulnerable Software and Affected Versions kkFileView version 4.1.0

Description The issue allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the url parameter. This is achieved through a Server-Side Request Forgery (SSRF) in the cn.keking.web.controller.OnlinePreviewController#getCorsFile component.

Recommendations For kkFileView version 4.1.0, consider restricting access to the cn.keking.web.controller.OnlinePreviewController#getCorsFile component to minimize the risk of exploitation. As a temporary workaround, avoid using the url parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.