Server-side request forgery in Allen Disk - CVE-2017-9307
Published: June 2, 2017 / Updated: June 2, 2017
Vulnerability identifier: #VU6858
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2017-9307
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Allen Disk
Affected software:
Allen Disk
Allen Disk
Detailed vulnerability description
The vulnerability allows a remote user to perform SSRF attack.
The weakness exists due to an error in remotedownload.php. A remote attacker can conduct port scans and access intranet servers.
Successful exploitation of this vulnerability may allow an attacker to perform SSRF attack to retrieve information for further attacks against vulnerable system by performing unauthorized connections to local resources, gain access to sensitive information and compromise vulnerable system.
The weakness exists due to an error in remotedownload.php. A remote attacker can conduct port scans and access intranet servers.
Successful exploitation of this vulnerability may allow an attacker to perform SSRF attack to retrieve information for further attacks against vulnerable system by performing unauthorized connections to local resources, gain access to sensitive information and compromise vulnerable system.
How to mitigate CVE-2017-9307
Cybersecurity Help is currently unaware of any official patch addressing the vulnerability.