Server-Side Request Forgery (SSRF) in PortlandLabs concrete5
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2018-13790 |
| CWE-ID | CWE-918 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
concrete5 Web applications / CMS |
| Vendor | PortlandLabs |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Server-Side Request Forgery (SSRF)
EUVDB-ID: #VU36933
Risk: Medium
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2018-13790
CWE-ID:
CWE-918 - Server-Side Request Forgery (SSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote privileged user to execute arbitrary code.
A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to attacks on the local network and mapping of the internal network, because of URL functionality on the File Manager page.
MitigationInstall update from vendor's website.
Vulnerable software versionsconcrete5: 5.8.2.0
CPE2.3 External linkshttps://hackerone.com/reports/243865
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
