Name of the Vulnerable Software and Affected Versions xmlrpc Client (affected versions not specified)

Description The issue allows an attacker to force the client to access local files or connect to undesired URLs instead of the intended target server's URL. This is possible by abusing the $method argument of Client::send(). The weakness only affects installations where the xmlrpc Client is used with untrusted data as the value for the $method argument, in conjunction with conditions that trigger the usage of curl as the HTTP transport. The chances of exploitation are considered low due to the uncommon usage scenario.

Recommendations To avoid the Client accessing any local file on the server, add the following call to your code: $client->setCurlOptions([CURLOPT PROTOCOLS, CURLPROTO HTTPS|CURLPROTO HTTP]); At the moment, there is no information about a newer version that contains a fix for this vulnerability.