PT-2024-21947 · Wondercms · Wondercms

Zer0Yu

Published

2024-03-05

Updated

2025-01-21

CVE-2024-27563

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions WonderCMS version 3.1.3

Description A Server-Side Request Forgery (SSRF) issue in the getFileFromRepo function allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the pluginThemeUrl parameter. This enables attackers to manipulate the application into accessing unauthorized resources.

Recommendations For WonderCMS version 3.1.3, as a temporary workaround, consider disabling the getFileFromRepo function until a patch is available. Restrict access to the pluginThemeUrl parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

CVE-2024-27563

Affected Products

Wondercms

PT-2024-21947 · Wondercms · Wondercms

CVE-2024-27563

Weakness Enumeration

Related Identifiers

Affected Products

References · 7