CVE-2024-25738

Name of the Vulnerable Software and Affected Versions Open Library Foundation VuFind versions 2.0 through 9.1 before 9.1.1

Description A Server-Side Request Forgery (SSRF) vulnerability in the "/Upgrade/FixConfig" route allows a remote attacker to overwrite local configuration files to gain access to the administrator panel and achieve Remote Code Execution. The vulnerability requires the allow url include PHP runtime setting to be on, which is off in default installations, and the "/Upgrade" route to be exposed, which is exposed by default after installing VuFind.

Recommendations For versions 2.0 through 9.1 before 9.1.1, update to version 9.1.1 or later to resolve the issue. As a temporary workaround, consider disabling the "/Upgrade" route by setting autoConfigure to false in config.ini to minimize the risk of exploitation. Restrict access to the "/Upgrade/FixConfig" route to prevent potential attacks.