CVE-2025-63551

Name of the Vulnerable Software and Affected Versions MetInfo Content Management System (CMS) versions through 8.1

Description A Server-Side Request Forgery (SSRF) issue, achievable through an XML External Entity (XXE) injection, exists. The flaw is due to a defect in the XML parsing logic, allowing an attacker to construct a malicious XML entity that forces the server to initiate an HTTP request to an arbitrary internal or external network address. Successful exploitation could lead to internal network reconnaissance, port scanning, or the retrieval of sensitive information. The vulnerability may be present in the backend API called by or associated with the API endpoint /admin/#/webset/?head tab active=0, where user-provided XML data is processed.

Recommendations Versions prior to 8.1 should be updated. As a temporary workaround, consider restricting access to the API endpoint /admin/#/webset/?head tab active=0 until a fix is available.