CVE-2023-41054

Name of the Vulnerable Software and Affected Versions LibreY versions prior to commit 8f9b9803f231e2954e5b49987a532d28fe50a627

Description The issue is related to a Server-Side Request Forgery (SSRF) vulnerability in the image proxy.php file. This vulnerability allows remote attackers to use the server as a proxy to send HTTP GET requests to arbitrary targets and retrieve information in the internal network or conduct Denial-of-Service (DoS) attacks via the url parameter. Attackers can also request the server to download large files or chain requests among multiple instances to reduce the performance of the server or even deny access from legitimate users.

Recommendations To resolve the issue, LibreY hosters are advised to use the latest commit. As a temporary workaround, consider restricting access to the image proxy.php file until the issue is resolved. Avoid using the url parameter in the affected API endpoint until the issue is resolved. At the moment, there are no known workarounds for this vulnerability, and the best course of action is to update to the latest version.