Main Vulnerability Database Vulnerabilities #VU36933

Server-Side Request Forgery (SSRF) in concrete5 - CVE-2018-13790

Published: July 9, 2018 / Updated: August 8, 2020

Vulnerability identifier: #VU36933

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2018-13790

CWE-ID: CWE-918

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: PortlandLabs

Affected software:
concrete5

Detailed vulnerability description

The vulnerability allows a remote privileged user to execute arbitrary code.

A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to attacks on the local network and mapping of the internal network, because of URL functionality on the File Manager page.

How to mitigate CVE-2018-13790

Install update from vendor's website.

Sources

https://hackerone.com/reports/243865

Server-Side Request Forgery (SSRF) in concrete5 - CVE-2018-13790

Detailed vulnerability description

How to mitigate CVE-2018-13790

Sources

Please verify you're human