CVE-2023-7037

LOW3.7EPSS 0.16%

Authenticated Blind SSRF in automad/automad

Published: 12/21/2023Modified: 8/19/2024

Description

automad up to 1.10.9 is vulnerable to an authenticated blind server-side request forgery in `importUrl` as the `import` function on the `FileController.php` file was not properly validating the value of the `importUrl` argument. This issue may allow attackers to perform a port scan against the local environment or abuse some service.

Affected packages (1)

Packagist/automad/automadfrom 0, <= 1.10.9

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.7	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-7037
PATCHhttps://github.com/marcantondahmen/automad
WEBhttps://github.com/screetsec/VDD/tree/main/Automad%20CMS/Authenticated%20Blind%20SSRF
WEBhttps://vuldb.com/?ctiid.248686
WEBhttps://vuldb.com/?id.248686