CVE-2024-2828

Name of the Vulnerable Software and Affected Versions lakernote EasyAdmin versions up to 20240315

Description A critical issue was found in the function thumbnail of the file src/main/java/com/laker/admin/module/sys/controller/IndexController.java. The manipulation of the argument url leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Recommendations For versions up to 20240315, apply a patch to fix this issue, specifically the patch identified as 23165d8cb569048c531150f194fea39f8800b8d5. As a temporary workaround, consider disabling the thumbnail function until a patch is available. Restrict access to the IndexController.java file to minimize the risk of exploitation. Avoid using the url argument in the affected function until the issue is resolved.