216.73.217.86

CVE-2024-25738

· Published 22/05/2024 19:15 · Modified 22/05/2024 19:15

Labels: CVE-2024-25738 2024-05-22CVE-2024-25738[email protected]

Essential information

Published
22/05/2024 19:15
Modified
22/05/2024 19:15
Author
Creator
CISA KEV
No
CWE

Description

A Server-Side Request Forgery (SSRF) vulnerability in the /Upgrade/FixConfig route in Open Library Foundation VuFind 2.0 through 9.1 before 9.1.1 allows a remote attacker to overwrite local configuration files to gain access to the administrator panel and achieve Remote Code Execution. A mitigating factor is that it requires the allow_url_include PHP runtime setting to be on, which is off in default installations. It also requires the /Upgrade route to be exposed, which is exposed by default after installing VuFind, and is recommended to be disabled by setting autoConfigure to false in config.ini.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

References