CVE-2024-25737

Name of the Vulnerable Software and Affected Versions Open Library Foundation VuFind versions 2.4 through 9.1 before 9.1.1

Description A Server-Side Request Forgery (SSRF) vulnerability in the "/Cover/Show" route, specifically in the showAction function of CoverController.php, allows remote attackers to access internal HTTP servers and perform Cross-Site Scripting (XSS) attacks. This is achieved by proxying arbitrary URLs via the proxy GET parameter.

Recommendations For Open Library Foundation VuFind versions 2.4 through 9.1 before 9.1.1, update to version 9.1.1 to resolve the issue. As a temporary workaround, consider restricting access to the "/Cover/Show" route or disabling the showAction function in CoverController.php until a patch is available. Avoid using the proxy GET parameter in the affected API endpoint until the issue is resolved.